Microsoft.SecurityInsights dataConnectors

• Latest
• 2024-10-01-preview
• 2024-09-01
• 2024-04-01-preview
• 2024-03-01
• 2024-01-01-preview
• 2023-12-01-preview
• 2023-11-01
• 2023-10-01-preview
• 2023-09-01-preview
• 2023-08-01-preview
• 2023-07-01-preview
• 2023-06-01-preview
• 2023-05-01-preview
• 2023-04-01-preview
• 2023-03-01-preview
• 2023-02-01
• 2023-02-01-preview
• 2022-12-01-preview
• 2022-11-01
• 2022-11-01-preview
• 2022-10-01-preview
• 2022-09-01-preview
• 2022-08-01
• 2022-08-01-preview
• 2022-07-01-preview
• 2022-06-01-preview
• 2022-05-01-preview
• 2022-04-01-preview
• 2022-01-01-preview
• 2021-10-01
• 2021-10-01-preview
• 2021-09-01-preview
• 2021-03-01-preview
• 2020-01-01
• 2019-01-01-preview

Bicep resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2024-10-01-preview' = {
  etag: 'string'
  name: 'string'
  kind: 'string'
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  apiKey: 'string'
  apiKeyIdentifier: 'string'
  apiKeyName: 'string'
  isApiKeyInPostPayload: bool
  type: 'APIKey'
}

For AWS, use:

{
  externalId: 'string'
  roleArn: 'string'
  type: 'AWS'
}

For Basic, use:

{
  password: 'string'
  type: 'Basic'
  userName: 'string'
}

For GCP, use:

{
  projectNumber: 'string'
  serviceAccountEmail: 'string'
  type: 'GCP'
  workloadIdentityProviderId: 'string'
}

For GitHub, use:

{
  installationId: 'string'
  type: 'GitHub'
}

For JwtToken, use:

{
  headers: {
    {customized property}: 'string'
  }
  isCredentialsInHeaders: bool
  isJsonRequest: bool
  password: {
    {customized property}: 'string'
  }
  queryParameters: {
    {customized property}: 'string'
  }
  requestTimeoutInSeconds: int
  tokenEndpoint: 'string'
  type: 'JwtToken'
  userName: {
    {customized property}: 'string'
  }
}

For None, use:

{
  type: 'None'
}

For OAuth2, use:

{
  accessTokenPrepend: 'string'
  authorizationCode: 'string'
  authorizationEndpoint: 'string'
  authorizationEndpointHeaders: {
    {customized property}: 'string'
  }
  authorizationEndpointQueryParameters: {
    {customized property}: 'string'
  }
  clientId: 'string'
  clientSecret: 'string'
  grantType: 'string'
  isCredentialsInHeaders: bool
  isJwtBearerFlow: bool
  redirectUri: 'string'
  scope: 'string'
  tokenEndpoint: 'string'
  tokenEndpointHeaders: {
    {customized property}: 'string'
  }
  tokenEndpointQueryParameters: {
    {customized property}: 'string'
  }
  type: 'OAuth2'
}

For Oracle, use:

{
  pemFile: 'string'
  publicFingerprint: 'string'
  tenantId: 'string'
  type: 'Oracle'
  userId: 'string'
}

For ServiceBus, use:

{
  credentialsConfig: {
    {customized property}: 'string'
  }
  storageAccountCredentialsConfig: {
    {customized property}: 'string'
  }
  type: 'ServiceBus'
}

For Session, use:

{
  headers: {
    {customized property}: 'string'
  }
  isPostPayloadJson: bool
  password: {
    {customized property}: 'string'
  }
  queryParameters: {
    {customized property}: any(Azure.Bicep.Types.Concrete.AnyType)
  }
  sessionIdName: 'string'
  sessionLoginRequestUri: 'string'
  sessionTimeoutInMinutes: int
  type: 'Session'
  userName: {
    {customized property}: 'string'
  }
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  kind: 'APIPolling'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(Azure.Bicep.Types.Concrete.AnyType)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
    pollingConfig: {
      auth: {
        apiKeyIdentifier: 'string'
        apiKeyName: 'string'
        authorizationEndpoint: 'string'
        authorizationEndpointQueryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
        authType: 'string'
        flowName: 'string'
        isApiKeyInPostPayload: 'string'
        isClientSecretInHeader: bool
        redirectionEndpoint: 'string'
        scope: 'string'
        tokenEndpoint: 'string'
        tokenEndpointHeaders: any(Azure.Bicep.Types.Concrete.AnyType)
        tokenEndpointQueryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
      }
      isActive: bool
      paging: {
        nextPageParaName: 'string'
        nextPageTokenJsonPath: 'string'
        pageCountAttributePath: 'string'
        pageSize: int
        pageSizeParaName: 'string'
        pageTimeStampAttributePath: 'string'
        pageTotalCountAttributePath: 'string'
        pagingType: 'string'
        searchTheLatestTimeStampFromEventsList: 'string'
      }
      request: {
        apiEndpoint: 'string'
        endTimeAttributeName: 'string'
        headers: any(Azure.Bicep.Types.Concrete.AnyType)
        httpMethod: 'string'
        queryParameters: any(Azure.Bicep.Types.Concrete.AnyType)
        queryParametersTemplate: 'string'
        queryTimeFormat: 'string'
        queryWindowInMin: int
        rateLimitQps: int
        retryCount: int
        startTimeAttributeName: 'string'
        timeoutInSeconds: int
      }
      response: {
        eventsJsonPaths: [
          'string'
        ]
        isGzipCompressed: bool
        successStatusJsonPath: 'string'
        successStatusValue: 'string'
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  kind: 'AmazonWebServicesCloudTrail'
  properties: {
    awsRoleArn: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  kind: 'AmazonWebServicesS3'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    destinationTable: 'string'
    roleArn: 'string'
    sqsUrls: [
      'string'
    ]
  }
}

For AzureActiveDirectory, use:

{
  kind: 'AzureActiveDirectory'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind: 'AzureAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For AzureSecurityCenter, use:

{
  kind: 'AzureSecurityCenter'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For Dynamics365, use:

{
  kind: 'Dynamics365'
  properties: {
    dataTypes: {
      dynamics365CdsActivities: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For GCP, use:

{
  kind: 'GCP'
  properties: {
    auth: {
      projectNumber: 'string'
      serviceAccountEmail: 'string'
      workloadIdentityProviderId: 'string'
    }
    connectorDefinitionName: 'string'
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    request: {
      projectId: 'string'
      subscriptionNames: [
        'string'
      ]
    }
  }
}

For GenericUI, use:

{
  kind: 'GenericUI'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'string'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any(Azure.Bicep.Types.Concrete.AnyType)
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
  }
}

For IOT, use:

{
  kind: 'IOT'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind: 'MicrosoftCloudAppSecurity'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      discoveryLogs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftPurviewInformationProtection, use:

{
  kind: 'MicrosoftPurviewInformationProtection'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind: 'MicrosoftThreatIntelligence'
  properties: {
    dataTypes: {
      microsoftEmergingThreatFeed: {
        lookbackPeriod: 'string'
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For MicrosoftThreatProtection, use:

{
  kind: 'MicrosoftThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      incidents: {
        state: 'string'
      }
    }
    filteredProviders: {
      alerts: [
        'string'
      ]
    }
    tenantId: 'string'
  }
}

For Office365, use:

{
  kind: 'Office365'
  properties: {
    dataTypes: {
      exchange: {
        state: 'string'
      }
      sharePoint: {
        state: 'string'
      }
      teams: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For Office365Project, use:

{
  kind: 'Office365Project'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeATP, use:

{
  kind: 'OfficeATP'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficeIRM, use:

{
  kind: 'OfficeIRM'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For OfficePowerBI, use:

{
  kind: 'OfficePowerBI'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }
}

For PurviewAudit, use:

{
  kind: 'PurviewAudit'
  properties: {
    connectorDefinitionName: 'string'
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    sourceType: 'string'
    tenantId: 'string'
  }
}

For RestApiPoller, use:

{
  kind: 'RestApiPoller'
  properties: {
    addOnAttributes: {
      {customized property}: 'string'
    }
    auth: {
      type: 'string'
      // For remaining properties, see CcpAuthConfig objects
    }
    connectorDefinitionName: 'string'
    dataType: 'string'
    dcrConfig: {
      dataCollectionEndpoint: 'string'
      dataCollectionRuleImmutableId: 'string'
      streamName: 'string'
    }
    isActive: bool
    paging: {
      pageSize: int
      pageSizeParameterName: 'string'
      pagingType: 'string'
    }
    request: {
      apiEndpoint: 'string'
      endTimeAttributeName: 'string'
      headers: {
        {customized property}: 'string'
      }
      httpMethod: 'string'
      isPostPayloadJson: bool
      queryParameters: {
        {customized property}: any(Azure.Bicep.Types.Concrete.AnyType)
      }
      queryParametersTemplate: 'string'
      queryTimeFormat: 'string'
      queryTimeIntervalAttributeName: 'string'
      queryTimeIntervalDelimiter: 'string'
      queryTimeIntervalPrepend: 'string'
      queryWindowInMin: int
      rateLimitQPS: int
      retryCount: int
      startTimeAttributeName: 'string'
      timeoutInSeconds: int
    }
    response: {
      compressionAlgo: 'string'
      convertChildPropertiesToArray: bool
      csvDelimiter: 'string'
      csvEscape: 'string'
      eventsJsonPaths: [
        'string'
      ]
      format: 'string'
      hasCsvBoundary: bool
      hasCsvHeader: bool
      isGzipCompressed: bool
      successStatusJsonPath: 'string'
      successStatusValue: 'string'
    }
  }
}

For ThreatIntelligence, use:

{
  kind: 'ThreatIntelligence'
  properties: {
    dataTypes: {
      indicators: {
        state: 'string'
      }
    }
    tenantId: 'string'
    tipLookbackPeriod: 'string'
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind: 'ThreatIntelligenceTaxii'
  properties: {
    collectionId: 'string'
    dataTypes: {
      taxiiClient: {
        state: 'string'
      }
    }
    friendlyName: 'string'
    password: 'string'
    pollingFrequency: 'string'
    taxiiLookbackPeriod: 'string'
    taxiiServer: 'string'
    tenantId: 'string'
    userName: 'string'
    workspaceId: 'string'
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AADIP (Azure Active Directory Identity Protection) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ApiKeyAuthModel

Name	Description	Value
apiKey	API Key for the user secret key credential	string (required)
apiKeyIdentifier	API Key Identifier	string
apiKeyName	API Key name	string (required)
isApiKeyInPostPayload	Flag to indicate if API key is set in HTTP POST payload	bool
type	The auth type	'APIKey' (required)

ApiPollingParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties
pollingConfig	Config to describe the polling instructions	CodelessConnectorPollingConfigProperties

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AWSAuthModel

Name	Description	Value
externalId	AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'	string
roleArn	AWS STS assume role ARN	string (required)
type	The auth type	'AWS' (required)

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesS3' (required)
properties	Amazon Web Services S3 data connector properties.	AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsS3DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AwsS3DataConnectorDataTypes (required)
destinationTable	The logs destination table name in LogAnalytics.	string (required)
roleArn	The Aws Role Arn that is used to access the Aws account.	string (required)
sqsUrls	The AWS sqs urls for the connector.	string[] (required)

BasicAuthModel

Name	Description	Value
password	The password	string (required)
type	The auth type	'Basic' (required)
userName	The user name.	string (required)

CcpAuthConfig

Name	Description	Value
type	Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel.	'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required)

CcpResponseConfig

Name	Description	Value
compressionAlgo	The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.	string
convertChildPropertiesToArray	The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.	bool
csvDelimiter	The csv delimiter, in case the response format is CSV.	string
csvEscape	The character used to escape characters in CSV.	string Constraints: Min length = 1 Max length = 1
eventsJsonPaths	The json paths, '$' char is the json root.	string[] (required)
format	The response format. possible values are json,csv,xml	string
hasCsvBoundary	The value indicating whether the response has CSV boundary in case the response in CSV format.	bool
hasCsvHeader	The value indicating whether the response has headers in case the response in CSV format.	bool
isGzipCompressed	The value indicating whether the remote server support Gzip and we should expect Gzip response.	bool
successStatusJsonPath	The value where the status message/code should appear in the response.	string
successStatusValue	The status value.	string

CodelessApiPollingDataConnector

Name	Description	Value
kind	The data connector kind	'APIPolling' (required)
properties	Codeless poling data connector properties	ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name	Description	Value
apiKeyIdentifier	A prefix send in the header before the actual token	string
apiKeyName	The header name which the token is sent with	string
authorizationEndpoint	The endpoint used to authorize the user, used in Oauth 2.0 flow	string
authorizationEndpointQueryParameters	The query parameters used in authorization request, used in Oauth 2.0 flow	any
authType	The authentication type	string (required)
flowName	Describes the flow name, for example 'AuthCode' for Oauth 2.0	string
isApiKeyInPostPayload	Marks if the key should sent in header	string
isClientSecretInHeader	Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow	bool
redirectionEndpoint	The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow	string
scope	The OAuth token scope	string
tokenEndpoint	The endpoint used to issue a token, used in Oauth 2.0 flow	string
tokenEndpointHeaders	The query headers used in token request, used in Oauth 2.0 flow	any
tokenEndpointQueryParameters	The query parameters used in token request, used in Oauth 2.0 flow	any

CodelessConnectorPollingConfigProperties

Name	Description	Value
auth	Describe the authentication type of the poller	CodelessConnectorPollingAuthProperties (required)
isActive	The poller active status	bool
paging	Describe the poll request paging config of the poller	CodelessConnectorPollingPagingProperties
request	Describe the poll request config parameters of the poller	CodelessConnectorPollingRequestProperties (required)
response	Describe the response config parameters of the poller	CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name	Description	Value
nextPageParaName	Defines the name of a next page attribute	string
nextPageTokenJsonPath	Defines the path to a next page token JSON	string
pageCountAttributePath	Defines the path to a page count attribute	string
pageSize	Defines the paging size	int
pageSizeParaName	Defines the name of the page size parameter	string
pageTimeStampAttributePath	Defines the path to a paging time stamp attribute	string
pageTotalCountAttributePath	Defines the path to a page total count attribute	string
pagingType	Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'	string (required)
searchTheLatestTimeStampFromEventsList	Determines whether to search for the latest time stamp in the events list	string

CodelessConnectorPollingRequestProperties

Name	Description	Value
apiEndpoint	Describe the endpoint we should pull the data from	string (required)
endTimeAttributeName	This will be used the query events from the end of the time window	string
headers	Describe the headers sent in the poll request	any
httpMethod	The http method type we will use in the poll request, GET or POST	string (required)
queryParameters	Describe the query parameters sent in the poll request	any
queryParametersTemplate	For advanced scenarios for example user name/password embedded in nested JSON payload	string
queryTimeFormat	The time format will be used the query events in a specific window	string (required)
queryWindowInMin	The window interval we will use the pull the data	int (required)
rateLimitQps	Defines the rate limit QPS	int
retryCount	Describe the amount of time we should try and poll the data in case of failure	int
startTimeAttributeName	This will be used the query events from a start of the time window	string
timeoutInSeconds	The number of seconds we will consider as a request timeout	int

CodelessConnectorPollingResponseProperties

Name	Description	Value
eventsJsonPaths	Describes the path we should extract the data in the response	string[] (required)
isGzipCompressed	Describes if the data in the response is Gzip	bool
successStatusJsonPath	Describes the path we should extract the status code in the response	string
successStatusValue	Describes the path we should extract the status value in the response	string

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

DCRConfiguration

Name	Description	Value
dataCollectionEndpoint	Represents the data collection ingestion endpoint in log analytics.	string (required)
dataCollectionRuleImmutableId	The data collection rule immutable id, the rule defines the transformation and data destination.	string (required)
streamName	The stream we are sending the data to.	string (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

GCPAuthModel

Name	Description	Value
projectNumber	GCP Project Number	string (required)
serviceAccountEmail	GCP Service Account Email	string (required)
type	The auth type	'GCP' (required)
workloadIdentityProviderId	GCP Workload Identity Provider ID	string (required)

GCPAuthProperties

Name	Description	Value
projectNumber	The GCP project number.	string (required)
serviceAccountEmail	The service account that is used to access the GCP project.	string (required)
workloadIdentityProviderId	The workload identity provider id that is used to gain access to the GCP project.	string (required)

GCPDataConnector

Name	Description	Value
kind	The data connector kind	'GCP' (required)
properties	Google Cloud Platform data connector properties.	GCPDataConnectorProperties

GCPDataConnectorProperties

Name	Description	Value
auth	The auth section of the connector.	GCPAuthProperties (required)
connectorDefinitionName	The name of the connector definition that represents the UI config.	string (required)
dcrConfig	The configuration of the destination of the data.	DCRConfiguration
request	The request section of the connector.	GCPRequestProperties (required)

GCPRequestProperties

Name	Description	Value
projectId	The GCP project id.	string (required)
subscriptionNames	The GCP pub/sub subscription names.	string[] (required)

GenericBlobSbsAuthModel

Name	Description	Value
credentialsConfig	Credentials for service bus namespace, keyvault uri for access key	GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig	Credentials for storage account, keyvault uri for access key	GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type	The auth type	'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name	Description	Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name	Description	Value

GitHubAuthModel

Name	Description	Value
installationId	The GitHubApp auth installation id.	string
type	The auth type	'GitHub' (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

IoTDataConnector

Name	Description	Value
kind	The data connector kind	'IOT' (required)
properties	IoT data connector properties.	IoTDataConnectorProperties

IoTDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

JwtAuthModel

Name	Description	Value
headers	The custom headers we want to add once we send request to token endpoint.	JwtAuthModelHeaders
isCredentialsInHeaders	Flag indicating whether we want to send the user name and password to token endpoint in the headers.	bool
isJsonRequest	Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).	bool
password	The password	JwtAuthModelPassword (required)
queryParameters	The custom query parameter we want to add once we send request to token endpoint.	JwtAuthModelQueryParameters
requestTimeoutInSeconds	Request timeout in seconds.	int Constraints: Max value = 180
tokenEndpoint	Token endpoint to request JWT	string (required)
type	The auth type	'JwtToken' (required)
userName	The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.	JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name	Description	Value

JwtAuthModelPassword

Name	Description	Value

JwtAuthModelQueryParameters

Name	Description	Value

JwtAuthModelUserName

Name	Description	Value

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GCP' for type GCPDataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'IOT' for type IoTDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftPurviewInformationProtection' for type MicrosoftPurviewInformationProtectionDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'Office365Project' for type Office365ProjectDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'OfficePowerBI' for type OfficePowerBIDataConnector. Set to 'PurviewAudit' for type PurviewAuditDataConnector. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AmazonWebServicesS3' 'APIPolling' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GCP' 'GenericUI' 'IOT' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftPurviewInformationProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'Office365Project' 'OfficeATP' 'OfficeIRM' 'OfficePowerBI' 'PurviewAudit' 'RestApiPoller' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
scope	Use when creating a resource at a scope that is different than the deployment scope.	Set this property to the symbolic name of a resource to apply the extension resource.

MicrosoftPurviewInformationProtectionConnectorDataTypes

Name	Description	Value
logs	Logs data type.	MicrosoftPurviewInformationProtectionConnectorDataTypesLogs (required)

MicrosoftPurviewInformationProtectionConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MicrosoftPurviewInformationProtectionDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftPurviewInformationProtection' (required)
properties	Microsoft Purview Information Protection data connector properties.	MicrosoftPurviewInformationProtectionDataConnectorProperties

MicrosoftPurviewInformationProtectionDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MicrosoftPurviewInformationProtectionConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	The lookback period for the feed to be imported.	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesAlerts
incidents	Incidents data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesAlerts

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
filteredProviders	The available filtered providers for the connector.	MtpFilteredProviders
tenantId	The tenant id to connect to, and get the data from.	string (required)

MtpFilteredProviders

Name	Description	Value
alerts	Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state.	String array containing any of: 'microsoftDefenderForCloudApps' 'microsoftDefenderForIdentity' (required)

NoneAuthModel

Name	Description	Value
type	The auth type	'None' (required)

OAuthModel

Name	Description	Value
accessTokenPrepend	Access token prepend. Default is 'Bearer'.	string
authorizationCode	The user's authorization code.	string
authorizationEndpoint	The authorization endpoint.	string
authorizationEndpointHeaders	The authorization endpoint headers.	OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters	The authorization endpoint query parameters.	OAuthModelAuthorizationEndpointQueryParameters
clientId	The Application (client) ID that the OAuth provider assigned to your app.	string (required)
clientSecret	The Application (client) secret that the OAuth provider assigned to your app.	string (required)
grantType	The grant type, usually will be 'authorization code'.	string (required)
isCredentialsInHeaders	Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.	bool
isJwtBearerFlow	A value indicating whether it's a JWT flow.	bool
redirectUri	The Application redirect url that the user config in the OAuth provider.	string
scope	The Application (client) Scope that the OAuth provider assigned to your app.	string
tokenEndpoint	The token endpoint. Defines the OAuth2 refresh token.	string (required)
tokenEndpointHeaders	The token endpoint headers.	OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters	The token endpoint query parameters.	OAuthModelTokenEndpointQueryParameters
type	The auth type	'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name	Description	Value

OAuthModelAuthorizationEndpointQueryParameters

Name	Description	Value

OAuthModelTokenEndpointHeaders

Name	Description	Value

OAuthModelTokenEndpointQueryParameters

Name	Description	Value

Office365ProjectConnectorDataTypes

Name	Description	Value
logs	Logs data type.	Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Office365ProjectDataConnector

Name	Description	Value
kind	The data connector kind	'Office365Project' (required)
properties	Office Microsoft Project data connector properties.	Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Office365ProjectConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeIRMDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeIRM' (required)
properties	OfficeIRM (Microsoft Insider Risk Management) data connector properties.	OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficePowerBIConnectorDataTypes

Name	Description	Value
logs	Logs data type.	OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficePowerBIDataConnector

Name	Description	Value
kind	The data connector kind	'OfficePowerBI' (required)
properties	Office Microsoft PowerBI data connector properties.	OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficePowerBIConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OracleAuthModel

Name	Description	Value
pemFile	Content of the PRM file	string (required)
publicFingerprint	Public Fingerprint	string (required)
tenantId	Oracle tenant ID	string (required)
type	The auth type	'Oracle' (required)
userId	Oracle user ID	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

PurviewAuditConnectorDataTypes

Name	Description	Value
logs	Logs data type.	PurviewAuditConnectorDataTypesLogs (required)

PurviewAuditConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

PurviewAuditDataConnector

Name	Description	Value
kind	The data connector kind	'PurviewAudit' (required)
properties	PurviewAudit data connector properties.	PurviewAuditDataConnectorProperties

PurviewAuditDataConnectorProperties

Name	Description	Value
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string
dataTypes	The available data types for the connector.	PurviewAuditConnectorDataTypes (required)
dcrConfig	The DCR related properties.	DCRConfiguration
sourceType	The source type indicates which kind of data is relevant for this connector.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

RestApiPollerDataConnector

Name	Description	Value
kind	The data connector kind	'RestApiPoller' (required)
properties	Rest Api Poller data connector properties.	RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name	Description	Value
addOnAttributes	The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.	RestApiPollerDataConnectorPropertiesAddOnAttributes
auth	The a authentication model.	CcpAuthConfig (required)
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string (required)
dataType	The Log Analytics table destination.	string
dcrConfig	The DCR related properties.	DCRConfiguration
isActive	Indicates whether the connector is active or not.	bool
paging	The paging configuration.	RestApiPollerRequestPagingConfig
request	The request configuration.	RestApiPollerRequestConfig (required)
response	The response configuration.	CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name	Description	Value

RestApiPollerRequestConfig

Name	Description	Value
apiEndpoint	The API endpoint.	string (required)
endTimeAttributeName	The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName	string
headers	The header for the request for the remote server.	RestApiPollerRequestConfigHeaders
httpMethod	The HTTP method, default value GET.	'DELETE' 'GET' 'POST' 'PUT'
isPostPayloadJson	Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).	bool
queryParameters	The HTTP query parameters to RESTful API.	RestApiPollerRequestConfigQueryParameters
queryParametersTemplate	the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.	string
queryTimeFormat	The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.	string
queryTimeIntervalAttributeName	The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter	string
queryTimeIntervalDelimiter	The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.	string
queryTimeIntervalPrepend	The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.	string
queryWindowInMin	The query window in minutes for the request.	int
rateLimitQPS	The Rate limit queries per second for the request..	int
retryCount	The retry count.	int
startTimeAttributeName	The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.	string
timeoutInSeconds	The timeout in seconds.	int

RestApiPollerRequestConfigHeaders

Name	Description	Value

RestApiPollerRequestConfigQueryParameters

Name	Description	Value

RestApiPollerRequestPagingConfig

Name	Description	Value
pageSize	Page size	int
pageSizeParameterName	Page size parameter name	string
pagingType	Type of paging	'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required)

SessionAuthModel

Name	Description	Value
headers	HTTP request headers to session service endpoint.	SessionAuthModelHeaders
isPostPayloadJson	Indicating whether API key is set in HTTP POST payload.	bool
password	The password attribute name.	SessionAuthModelPassword (required)
queryParameters	Query parameters to session service endpoint.	SessionAuthModelQueryParameters
sessionIdName	Session id attribute name from HTTP response header.	string
sessionLoginRequestUri	HTTP request URL to session service endpoint.	string
sessionTimeoutInMinutes	Session timeout in minutes.	int
type	The auth type	'Session' (required)
userName	The user name attribute key value.	SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name	Description	Value

SessionAuthModelPassword

Name	Description	Value

SessionAuthModelQueryParameters

Name	Description	Value

SessionAuthModelUserName

Name	Description	Value

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

ARM template resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.

{
  "etag": "string",
  "name": "string",
  "kind": "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  "apiKey": "string",
  "apiKeyIdentifier": "string",
  "apiKeyName": "string",
  "isApiKeyInPostPayload": "bool",
  "type": "APIKey"
}

For AWS, use:

{
  "externalId": "string",
  "roleArn": "string",
  "type": "AWS"
}

For Basic, use:

{
  "password": "string",
  "type": "Basic",
  "userName": "string"
}

For GCP, use:

{
  "projectNumber": "string",
  "serviceAccountEmail": "string",
  "type": "GCP",
  "workloadIdentityProviderId": "string"
}

For GitHub, use:

{
  "installationId": "string",
  "type": "GitHub"
}

For JwtToken, use:

{
  "headers": {
    "{customized property}": "string"
  },
  "isCredentialsInHeaders": "bool",
  "isJsonRequest": "bool",
  "password": {
    "{customized property}": "string"
  },
  "queryParameters": {
    "{customized property}": "string"
  },
  "requestTimeoutInSeconds": "int",
  "tokenEndpoint": "string",
  "type": "JwtToken",
  "userName": {
    "{customized property}": "string"
  }
}

For None, use:

{
  "type": "None"
}

For OAuth2, use:

{
  "accessTokenPrepend": "string",
  "authorizationCode": "string",
  "authorizationEndpoint": "string",
  "authorizationEndpointHeaders": {
    "{customized property}": "string"
  },
  "authorizationEndpointQueryParameters": {
    "{customized property}": "string"
  },
  "clientId": "string",
  "clientSecret": "string",
  "grantType": "string",
  "isCredentialsInHeaders": "bool",
  "isJwtBearerFlow": "bool",
  "redirectUri": "string",
  "scope": "string",
  "tokenEndpoint": "string",
  "tokenEndpointHeaders": {
    "{customized property}": "string"
  },
  "tokenEndpointQueryParameters": {
    "{customized property}": "string"
  },
  "type": "OAuth2"
}

For Oracle, use:

{
  "pemFile": "string",
  "publicFingerprint": "string",
  "tenantId": "string",
  "type": "Oracle",
  "userId": "string"
}

For ServiceBus, use:

{
  "credentialsConfig": {
    "{customized property}": "string"
  },
  "storageAccountCredentialsConfig": {
    "{customized property}": "string"
  },
  "type": "ServiceBus"
}

For Session, use:

{
  "headers": {
    "{customized property}": "string"
  },
  "isPostPayloadJson": "bool",
  "password": {
    "{customized property}": "string"
  },
  "queryParameters": {
    "{customized property}": {}
  },
  "sessionIdName": "string",
  "sessionLoginRequestUri": "string",
  "sessionTimeoutInMinutes": "int",
  "type": "Session",
  "userName": {
    "{customized property}": "string"
  }
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  "kind": "APIPolling",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    },
    "pollingConfig": {
      "auth": {
        "apiKeyIdentifier": "string",
        "apiKeyName": "string",
        "authorizationEndpoint": "string",
        "authorizationEndpointQueryParameters": {},
        "authType": "string",
        "flowName": "string",
        "isApiKeyInPostPayload": "string",
        "isClientSecretInHeader": "bool",
        "redirectionEndpoint": "string",
        "scope": "string",
        "tokenEndpoint": "string",
        "tokenEndpointHeaders": {},
        "tokenEndpointQueryParameters": {}
      },
      "isActive": "bool",
      "paging": {
        "nextPageParaName": "string",
        "nextPageTokenJsonPath": "string",
        "pageCountAttributePath": "string",
        "pageSize": "int",
        "pageSizeParaName": "string",
        "pageTimeStampAttributePath": "string",
        "pageTotalCountAttributePath": "string",
        "pagingType": "string",
        "searchTheLatestTimeStampFromEventsList": "string"
      },
      "request": {
        "apiEndpoint": "string",
        "endTimeAttributeName": "string",
        "headers": {},
        "httpMethod": "string",
        "queryParameters": {},
        "queryParametersTemplate": "string",
        "queryTimeFormat": "string",
        "queryWindowInMin": "int",
        "rateLimitQps": "int",
        "retryCount": "int",
        "startTimeAttributeName": "string",
        "timeoutInSeconds": "int"
      },
      "response": {
        "eventsJsonPaths": [ "string" ],
        "isGzipCompressed": "bool",
        "successStatusJsonPath": "string",
        "successStatusValue": "string"
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "awsRoleArn": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  "kind": "AmazonWebServicesS3",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "destinationTable": "string",
    "roleArn": "string",
    "sqsUrls": [ "string" ]
  }
}

For AzureActiveDirectory, use:

{
  "kind": "AzureActiveDirectory",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  "kind": "AzureAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For AzureSecurityCenter, use:

{
  "kind": "AzureSecurityCenter",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For Dynamics365, use:

{
  "kind": "Dynamics365",
  "properties": {
    "dataTypes": {
      "dynamics365CdsActivities": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For GCP, use:

{
  "kind": "GCP",
  "properties": {
    "auth": {
      "projectNumber": "string",
      "serviceAccountEmail": "string",
      "workloadIdentityProviderId": "string"
    },
    "connectorDefinitionName": "string",
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "request": {
      "projectId": "string",
      "subscriptionNames": [ "string" ]
    }
  }
}

For GenericUI, use:

{
  "kind": "GenericUI",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "string",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    }
  }
}

For IOT, use:

{
  "kind": "IOT",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }
}

For MicrosoftCloudAppSecurity, use:

{
  "kind": "MicrosoftCloudAppSecurity",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "discoveryLogs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftPurviewInformationProtection, use:

{
  "kind": "MicrosoftPurviewInformationProtection",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  "kind": "MicrosoftThreatIntelligence",
  "properties": {
    "dataTypes": {
      "microsoftEmergingThreatFeed": {
        "lookbackPeriod": "string",
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For MicrosoftThreatProtection, use:

{
  "kind": "MicrosoftThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "incidents": {
        "state": "string"
      }
    },
    "filteredProviders": {
      "alerts": [ "string" ]
    },
    "tenantId": "string"
  }
}

For Office365, use:

{
  "kind": "Office365",
  "properties": {
    "dataTypes": {
      "exchange": {
        "state": "string"
      },
      "sharePoint": {
        "state": "string"
      },
      "teams": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For Office365Project, use:

{
  "kind": "Office365Project",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeATP, use:

{
  "kind": "OfficeATP",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficeIRM, use:

{
  "kind": "OfficeIRM",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For OfficePowerBI, use:

{
  "kind": "OfficePowerBI",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }
}

For PurviewAudit, use:

{
  "kind": "PurviewAudit",
  "properties": {
    "connectorDefinitionName": "string",
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "sourceType": "string",
    "tenantId": "string"
  }
}

For RestApiPoller, use:

{
  "kind": "RestApiPoller",
  "properties": {
    "addOnAttributes": {
      "{customized property}": "string"
    },
    "auth": {
      "type": "string"
      // For remaining properties, see CcpAuthConfig objects
    },
    "connectorDefinitionName": "string",
    "dataType": "string",
    "dcrConfig": {
      "dataCollectionEndpoint": "string",
      "dataCollectionRuleImmutableId": "string",
      "streamName": "string"
    },
    "isActive": "bool",
    "paging": {
      "pageSize": "int",
      "pageSizeParameterName": "string",
      "pagingType": "string"
    },
    "request": {
      "apiEndpoint": "string",
      "endTimeAttributeName": "string",
      "headers": {
        "{customized property}": "string"
      },
      "httpMethod": "string",
      "isPostPayloadJson": "bool",
      "queryParameters": {
        "{customized property}": {}
      },
      "queryParametersTemplate": "string",
      "queryTimeFormat": "string",
      "queryTimeIntervalAttributeName": "string",
      "queryTimeIntervalDelimiter": "string",
      "queryTimeIntervalPrepend": "string",
      "queryWindowInMin": "int",
      "rateLimitQPS": "int",
      "retryCount": "int",
      "startTimeAttributeName": "string",
      "timeoutInSeconds": "int"
    },
    "response": {
      "compressionAlgo": "string",
      "convertChildPropertiesToArray": "bool",
      "csvDelimiter": "string",
      "csvEscape": "string",
      "eventsJsonPaths": [ "string" ],
      "format": "string",
      "hasCsvBoundary": "bool",
      "hasCsvHeader": "bool",
      "isGzipCompressed": "bool",
      "successStatusJsonPath": "string",
      "successStatusValue": "string"
    }
  }
}

For ThreatIntelligence, use:

{
  "kind": "ThreatIntelligence",
  "properties": {
    "dataTypes": {
      "indicators": {
        "state": "string"
      }
    },
    "tenantId": "string",
    "tipLookbackPeriod": "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  "kind": "ThreatIntelligenceTaxii",
  "properties": {
    "collectionId": "string",
    "dataTypes": {
      "taxiiClient": {
        "state": "string"
      }
    },
    "friendlyName": "string",
    "password": "string",
    "pollingFrequency": "string",
    "taxiiLookbackPeriod": "string",
    "taxiiServer": "string",
    "tenantId": "string",
    "userName": "string",
    "workspaceId": "string"
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AADIP (Azure Active Directory Identity Protection) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ApiKeyAuthModel

Name	Description	Value
apiKey	API Key for the user secret key credential	string (required)
apiKeyIdentifier	API Key Identifier	string
apiKeyName	API Key name	string (required)
isApiKeyInPostPayload	Flag to indicate if API key is set in HTTP POST payload	bool
type	The auth type	'APIKey' (required)

ApiPollingParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties
pollingConfig	Config to describe the polling instructions	CodelessConnectorPollingConfigProperties

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AWSAuthModel

Name	Description	Value
externalId	AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'	string
roleArn	AWS STS assume role ARN	string (required)
type	The auth type	'AWS' (required)

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesS3' (required)
properties	Amazon Web Services S3 data connector properties.	AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsS3DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AwsS3DataConnectorDataTypes (required)
destinationTable	The logs destination table name in LogAnalytics.	string (required)
roleArn	The Aws Role Arn that is used to access the Aws account.	string (required)
sqsUrls	The AWS sqs urls for the connector.	string[] (required)

BasicAuthModel

Name	Description	Value
password	The password	string (required)
type	The auth type	'Basic' (required)
userName	The user name.	string (required)

CcpAuthConfig

Name	Description	Value
type	Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel.	'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required)

CcpResponseConfig

Name	Description	Value
compressionAlgo	The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.	string
convertChildPropertiesToArray	The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.	bool
csvDelimiter	The csv delimiter, in case the response format is CSV.	string
csvEscape	The character used to escape characters in CSV.	string Constraints: Min length = 1 Max length = 1
eventsJsonPaths	The json paths, '$' char is the json root.	string[] (required)
format	The response format. possible values are json,csv,xml	string
hasCsvBoundary	The value indicating whether the response has CSV boundary in case the response in CSV format.	bool
hasCsvHeader	The value indicating whether the response has headers in case the response in CSV format.	bool
isGzipCompressed	The value indicating whether the remote server support Gzip and we should expect Gzip response.	bool
successStatusJsonPath	The value where the status message/code should appear in the response.	string
successStatusValue	The status value.	string

CodelessApiPollingDataConnector

Name	Description	Value
kind	The data connector kind	'APIPolling' (required)
properties	Codeless poling data connector properties	ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name	Description	Value
apiKeyIdentifier	A prefix send in the header before the actual token	string
apiKeyName	The header name which the token is sent with	string
authorizationEndpoint	The endpoint used to authorize the user, used in Oauth 2.0 flow	string
authorizationEndpointQueryParameters	The query parameters used in authorization request, used in Oauth 2.0 flow	any
authType	The authentication type	string (required)
flowName	Describes the flow name, for example 'AuthCode' for Oauth 2.0	string
isApiKeyInPostPayload	Marks if the key should sent in header	string
isClientSecretInHeader	Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow	bool
redirectionEndpoint	The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow	string
scope	The OAuth token scope	string
tokenEndpoint	The endpoint used to issue a token, used in Oauth 2.0 flow	string
tokenEndpointHeaders	The query headers used in token request, used in Oauth 2.0 flow	any
tokenEndpointQueryParameters	The query parameters used in token request, used in Oauth 2.0 flow	any

CodelessConnectorPollingConfigProperties

Name	Description	Value
auth	Describe the authentication type of the poller	CodelessConnectorPollingAuthProperties (required)
isActive	The poller active status	bool
paging	Describe the poll request paging config of the poller	CodelessConnectorPollingPagingProperties
request	Describe the poll request config parameters of the poller	CodelessConnectorPollingRequestProperties (required)
response	Describe the response config parameters of the poller	CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name	Description	Value
nextPageParaName	Defines the name of a next page attribute	string
nextPageTokenJsonPath	Defines the path to a next page token JSON	string
pageCountAttributePath	Defines the path to a page count attribute	string
pageSize	Defines the paging size	int
pageSizeParaName	Defines the name of the page size parameter	string
pageTimeStampAttributePath	Defines the path to a paging time stamp attribute	string
pageTotalCountAttributePath	Defines the path to a page total count attribute	string
pagingType	Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'	string (required)
searchTheLatestTimeStampFromEventsList	Determines whether to search for the latest time stamp in the events list	string

CodelessConnectorPollingRequestProperties

Name	Description	Value
apiEndpoint	Describe the endpoint we should pull the data from	string (required)
endTimeAttributeName	This will be used the query events from the end of the time window	string
headers	Describe the headers sent in the poll request	any
httpMethod	The http method type we will use in the poll request, GET or POST	string (required)
queryParameters	Describe the query parameters sent in the poll request	any
queryParametersTemplate	For advanced scenarios for example user name/password embedded in nested JSON payload	string
queryTimeFormat	The time format will be used the query events in a specific window	string (required)
queryWindowInMin	The window interval we will use the pull the data	int (required)
rateLimitQps	Defines the rate limit QPS	int
retryCount	Describe the amount of time we should try and poll the data in case of failure	int
startTimeAttributeName	This will be used the query events from a start of the time window	string
timeoutInSeconds	The number of seconds we will consider as a request timeout	int

CodelessConnectorPollingResponseProperties

Name	Description	Value
eventsJsonPaths	Describes the path we should extract the data in the response	string[] (required)
isGzipCompressed	Describes if the data in the response is Gzip	bool
successStatusJsonPath	Describes the path we should extract the status code in the response	string
successStatusValue	Describes the path we should extract the status value in the response	string

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

DCRConfiguration

Name	Description	Value
dataCollectionEndpoint	Represents the data collection ingestion endpoint in log analytics.	string (required)
dataCollectionRuleImmutableId	The data collection rule immutable id, the rule defines the transformation and data destination.	string (required)
streamName	The stream we are sending the data to.	string (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

GCPAuthModel

Name	Description	Value
projectNumber	GCP Project Number	string (required)
serviceAccountEmail	GCP Service Account Email	string (required)
type	The auth type	'GCP' (required)
workloadIdentityProviderId	GCP Workload Identity Provider ID	string (required)

GCPAuthProperties

Name	Description	Value
projectNumber	The GCP project number.	string (required)
serviceAccountEmail	The service account that is used to access the GCP project.	string (required)
workloadIdentityProviderId	The workload identity provider id that is used to gain access to the GCP project.	string (required)

GCPDataConnector

Name	Description	Value
kind	The data connector kind	'GCP' (required)
properties	Google Cloud Platform data connector properties.	GCPDataConnectorProperties

GCPDataConnectorProperties

Name	Description	Value
auth	The auth section of the connector.	GCPAuthProperties (required)
connectorDefinitionName	The name of the connector definition that represents the UI config.	string (required)
dcrConfig	The configuration of the destination of the data.	DCRConfiguration
request	The request section of the connector.	GCPRequestProperties (required)

GCPRequestProperties

Name	Description	Value
projectId	The GCP project id.	string (required)
subscriptionNames	The GCP pub/sub subscription names.	string[] (required)

GenericBlobSbsAuthModel

Name	Description	Value
credentialsConfig	Credentials for service bus namespace, keyvault uri for access key	GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig	Credentials for storage account, keyvault uri for access key	GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type	The auth type	'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name	Description	Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name	Description	Value

GitHubAuthModel

Name	Description	Value
installationId	The GitHubApp auth installation id.	string
type	The auth type	'GitHub' (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

IoTDataConnector

Name	Description	Value
kind	The data connector kind	'IOT' (required)
properties	IoT data connector properties.	IoTDataConnectorProperties

IoTDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

JwtAuthModel

Name	Description	Value
headers	The custom headers we want to add once we send request to token endpoint.	JwtAuthModelHeaders
isCredentialsInHeaders	Flag indicating whether we want to send the user name and password to token endpoint in the headers.	bool
isJsonRequest	Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).	bool
password	The password	JwtAuthModelPassword (required)
queryParameters	The custom query parameter we want to add once we send request to token endpoint.	JwtAuthModelQueryParameters
requestTimeoutInSeconds	Request timeout in seconds.	int Constraints: Max value = 180
tokenEndpoint	Token endpoint to request JWT	string (required)
type	The auth type	'JwtToken' (required)
userName	The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.	JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name	Description	Value

JwtAuthModelPassword

Name	Description	Value

JwtAuthModelQueryParameters

Name	Description	Value

JwtAuthModelUserName

Name	Description	Value

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
apiVersion	The api version	'2024-10-01-preview'
etag	Etag of the azure resource	string
kind	Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GCP' for type GCPDataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'IOT' for type IoTDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftPurviewInformationProtection' for type MicrosoftPurviewInformationProtectionDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'Office365Project' for type Office365ProjectDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'OfficePowerBI' for type OfficePowerBIDataConnector. Set to 'PurviewAudit' for type PurviewAuditDataConnector. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AmazonWebServicesS3' 'APIPolling' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GCP' 'GenericUI' 'IOT' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftPurviewInformationProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'Office365Project' 'OfficeATP' 'OfficeIRM' 'OfficePowerBI' 'PurviewAudit' 'RestApiPoller' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
type	The resource type	'Microsoft.SecurityInsights/dataConnectors'

MicrosoftPurviewInformationProtectionConnectorDataTypes

Name	Description	Value
logs	Logs data type.	MicrosoftPurviewInformationProtectionConnectorDataTypesLogs (required)

MicrosoftPurviewInformationProtectionConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MicrosoftPurviewInformationProtectionDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftPurviewInformationProtection' (required)
properties	Microsoft Purview Information Protection data connector properties.	MicrosoftPurviewInformationProtectionDataConnectorProperties

MicrosoftPurviewInformationProtectionDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MicrosoftPurviewInformationProtectionConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	The lookback period for the feed to be imported.	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesAlerts
incidents	Incidents data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesAlerts

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
filteredProviders	The available filtered providers for the connector.	MtpFilteredProviders
tenantId	The tenant id to connect to, and get the data from.	string (required)

MtpFilteredProviders

Name	Description	Value
alerts	Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state.	String array containing any of: 'microsoftDefenderForCloudApps' 'microsoftDefenderForIdentity' (required)

NoneAuthModel

Name	Description	Value
type	The auth type	'None' (required)

OAuthModel

Name	Description	Value
accessTokenPrepend	Access token prepend. Default is 'Bearer'.	string
authorizationCode	The user's authorization code.	string
authorizationEndpoint	The authorization endpoint.	string
authorizationEndpointHeaders	The authorization endpoint headers.	OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters	The authorization endpoint query parameters.	OAuthModelAuthorizationEndpointQueryParameters
clientId	The Application (client) ID that the OAuth provider assigned to your app.	string (required)
clientSecret	The Application (client) secret that the OAuth provider assigned to your app.	string (required)
grantType	The grant type, usually will be 'authorization code'.	string (required)
isCredentialsInHeaders	Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.	bool
isJwtBearerFlow	A value indicating whether it's a JWT flow.	bool
redirectUri	The Application redirect url that the user config in the OAuth provider.	string
scope	The Application (client) Scope that the OAuth provider assigned to your app.	string
tokenEndpoint	The token endpoint. Defines the OAuth2 refresh token.	string (required)
tokenEndpointHeaders	The token endpoint headers.	OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters	The token endpoint query parameters.	OAuthModelTokenEndpointQueryParameters
type	The auth type	'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name	Description	Value

OAuthModelAuthorizationEndpointQueryParameters

Name	Description	Value

OAuthModelTokenEndpointHeaders

Name	Description	Value

OAuthModelTokenEndpointQueryParameters

Name	Description	Value

Office365ProjectConnectorDataTypes

Name	Description	Value
logs	Logs data type.	Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Office365ProjectDataConnector

Name	Description	Value
kind	The data connector kind	'Office365Project' (required)
properties	Office Microsoft Project data connector properties.	Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Office365ProjectConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeIRMDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeIRM' (required)
properties	OfficeIRM (Microsoft Insider Risk Management) data connector properties.	OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficePowerBIConnectorDataTypes

Name	Description	Value
logs	Logs data type.	OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficePowerBIDataConnector

Name	Description	Value
kind	The data connector kind	'OfficePowerBI' (required)
properties	Office Microsoft PowerBI data connector properties.	OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficePowerBIConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OracleAuthModel

Name	Description	Value
pemFile	Content of the PRM file	string (required)
publicFingerprint	Public Fingerprint	string (required)
tenantId	Oracle tenant ID	string (required)
type	The auth type	'Oracle' (required)
userId	Oracle user ID	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

PurviewAuditConnectorDataTypes

Name	Description	Value
logs	Logs data type.	PurviewAuditConnectorDataTypesLogs (required)

PurviewAuditConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

PurviewAuditDataConnector

Name	Description	Value
kind	The data connector kind	'PurviewAudit' (required)
properties	PurviewAudit data connector properties.	PurviewAuditDataConnectorProperties

PurviewAuditDataConnectorProperties

Name	Description	Value
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string
dataTypes	The available data types for the connector.	PurviewAuditConnectorDataTypes (required)
dcrConfig	The DCR related properties.	DCRConfiguration
sourceType	The source type indicates which kind of data is relevant for this connector.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

RestApiPollerDataConnector

Name	Description	Value
kind	The data connector kind	'RestApiPoller' (required)
properties	Rest Api Poller data connector properties.	RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name	Description	Value
addOnAttributes	The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.	RestApiPollerDataConnectorPropertiesAddOnAttributes
auth	The a authentication model.	CcpAuthConfig (required)
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string (required)
dataType	The Log Analytics table destination.	string
dcrConfig	The DCR related properties.	DCRConfiguration
isActive	Indicates whether the connector is active or not.	bool
paging	The paging configuration.	RestApiPollerRequestPagingConfig
request	The request configuration.	RestApiPollerRequestConfig (required)
response	The response configuration.	CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name	Description	Value

RestApiPollerRequestConfig

Name	Description	Value
apiEndpoint	The API endpoint.	string (required)
endTimeAttributeName	The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName	string
headers	The header for the request for the remote server.	RestApiPollerRequestConfigHeaders
httpMethod	The HTTP method, default value GET.	'DELETE' 'GET' 'POST' 'PUT'
isPostPayloadJson	Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).	bool
queryParameters	The HTTP query parameters to RESTful API.	RestApiPollerRequestConfigQueryParameters
queryParametersTemplate	the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.	string
queryTimeFormat	The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.	string
queryTimeIntervalAttributeName	The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter	string
queryTimeIntervalDelimiter	The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.	string
queryTimeIntervalPrepend	The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.	string
queryWindowInMin	The query window in minutes for the request.	int
rateLimitQPS	The Rate limit queries per second for the request..	int
retryCount	The retry count.	int
startTimeAttributeName	The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.	string
timeoutInSeconds	The timeout in seconds.	int

RestApiPollerRequestConfigHeaders

Name	Description	Value

RestApiPollerRequestConfigQueryParameters

Name	Description	Value

RestApiPollerRequestPagingConfig

Name	Description	Value
pageSize	Page size	int
pageSizeParameterName	Page size parameter name	string
pagingType	Type of paging	'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required)

SessionAuthModel

Name	Description	Value
headers	HTTP request headers to session service endpoint.	SessionAuthModelHeaders
isPostPayloadJson	Indicating whether API key is set in HTTP POST payload.	bool
password	The password attribute name.	SessionAuthModelPassword (required)
queryParameters	Query parameters to session service endpoint.	SessionAuthModelQueryParameters
sessionIdName	Session id attribute name from HTTP response header.	string
sessionLoginRequestUri	HTTP request URL to session service endpoint.	string
sessionTimeoutInMinutes	Session timeout in minutes.	int
type	The auth type	'Session' (required)
userName	The user name attribute key value.	SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name	Description	Value

SessionAuthModelPassword

Name	Description	Value

SessionAuthModelQueryParameters

Name	Description	Value

SessionAuthModelUserName

Name	Description	Value

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string

Terraform (AzAPI provider) resource definition

The dataConnectors resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  etag = "string"
  name = "string"
  kind = "string"
  // For remaining properties, see Microsoft.SecurityInsights/dataConnectors objects
}

CcpAuthConfig objects

Set the type property to specify the type of object.

For APIKey, use:

{
  apiKey = "string"
  apiKeyIdentifier = "string"
  apiKeyName = "string"
  isApiKeyInPostPayload = bool
  type = "APIKey"
}

For AWS, use:

{
  externalId = "string"
  roleArn = "string"
  type = "AWS"
}

For Basic, use:

{
  password = "string"
  type = "Basic"
  userName = "string"
}

For GCP, use:

{
  projectNumber = "string"
  serviceAccountEmail = "string"
  type = "GCP"
  workloadIdentityProviderId = "string"
}

For GitHub, use:

{
  installationId = "string"
  type = "GitHub"
}

For JwtToken, use:

{
  headers = {
    {customized property} = "string"
  }
  isCredentialsInHeaders = bool
  isJsonRequest = bool
  password = {
    {customized property} = "string"
  }
  queryParameters = {
    {customized property} = "string"
  }
  requestTimeoutInSeconds = int
  tokenEndpoint = "string"
  type = "JwtToken"
  userName = {
    {customized property} = "string"
  }
}

For None, use:

{
  type = "None"
}

For OAuth2, use:

{
  accessTokenPrepend = "string"
  authorizationCode = "string"
  authorizationEndpoint = "string"
  authorizationEndpointHeaders = {
    {customized property} = "string"
  }
  authorizationEndpointQueryParameters = {
    {customized property} = "string"
  }
  clientId = "string"
  clientSecret = "string"
  grantType = "string"
  isCredentialsInHeaders = bool
  isJwtBearerFlow = bool
  redirectUri = "string"
  scope = "string"
  tokenEndpoint = "string"
  tokenEndpointHeaders = {
    {customized property} = "string"
  }
  tokenEndpointQueryParameters = {
    {customized property} = "string"
  }
  type = "OAuth2"
}

For Oracle, use:

{
  pemFile = "string"
  publicFingerprint = "string"
  tenantId = "string"
  type = "Oracle"
  userId = "string"
}

For ServiceBus, use:

{
  credentialsConfig = {
    {customized property} = "string"
  }
  storageAccountCredentialsConfig = {
    {customized property} = "string"
  }
  type = "ServiceBus"
}

For Session, use:

{
  headers = {
    {customized property} = "string"
  }
  isPostPayloadJson = bool
  password = {
    {customized property} = "string"
  }
  queryParameters = {
    {customized property} = ?
  }
  sessionIdName = "string"
  sessionLoginRequestUri = "string"
  sessionTimeoutInMinutes = int
  type = "Session"
  userName = {
    {customized property} = "string"
  }
}

Microsoft.SecurityInsights/dataConnectors objects

Set the kind property to specify the type of object.

For APIPolling, use:

{
  kind = "APIPolling"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
    pollingConfig = {
      auth = {
        apiKeyIdentifier = "string"
        apiKeyName = "string"
        authorizationEndpoint = "string"
        authorizationEndpointQueryParameters = ?
        authType = "string"
        flowName = "string"
        isApiKeyInPostPayload = "string"
        isClientSecretInHeader = bool
        redirectionEndpoint = "string"
        scope = "string"
        tokenEndpoint = "string"
        tokenEndpointHeaders = ?
        tokenEndpointQueryParameters = ?
      }
      isActive = bool
      paging = {
        nextPageParaName = "string"
        nextPageTokenJsonPath = "string"
        pageCountAttributePath = "string"
        pageSize = int
        pageSizeParaName = "string"
        pageTimeStampAttributePath = "string"
        pageTotalCountAttributePath = "string"
        pagingType = "string"
        searchTheLatestTimeStampFromEventsList = "string"
      }
      request = {
        apiEndpoint = "string"
        endTimeAttributeName = "string"
        headers = ?
        httpMethod = "string"
        queryParameters = ?
        queryParametersTemplate = "string"
        queryTimeFormat = "string"
        queryWindowInMin = int
        rateLimitQps = int
        retryCount = int
        startTimeAttributeName = "string"
        timeoutInSeconds = int
      }
      response = {
        eventsJsonPaths = [
          "string"
        ]
        isGzipCompressed = bool
        successStatusJsonPath = "string"
        successStatusValue = "string"
      }
    }
  }
}

For AmazonWebServicesCloudTrail, use:

{
  kind = "AmazonWebServicesCloudTrail"
  properties = {
    awsRoleArn = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
  }
}

For AmazonWebServicesS3, use:

{
  kind = "AmazonWebServicesS3"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    destinationTable = "string"
    roleArn = "string"
    sqsUrls = [
      "string"
    ]
  }
}

For AzureActiveDirectory, use:

{
  kind = "AzureActiveDirectory"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureAdvancedThreatProtection, use:

{
  kind = "AzureAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For AzureSecurityCenter, use:

{
  kind = "AzureSecurityCenter"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For Dynamics365, use:

{
  kind = "Dynamics365"
  properties = {
    dataTypes = {
      dynamics365CdsActivities = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For GCP, use:

{
  kind = "GCP"
  properties = {
    auth = {
      projectNumber = "string"
      serviceAccountEmail = "string"
      workloadIdentityProviderId = "string"
    }
    connectorDefinitionName = "string"
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    request = {
      projectId = "string"
      subscriptionNames = [
        "string"
      ]
    }
  }
}

For GenericUI, use:

{
  kind = "GenericUI"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "string"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              parameters = ?
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
  }
}

For IOT, use:

{
  kind = "IOT"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }
}

For MicrosoftCloudAppSecurity, use:

{
  kind = "MicrosoftCloudAppSecurity"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      discoveryLogs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftDefenderAdvancedThreatProtection, use:

{
  kind = "MicrosoftDefenderAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftPurviewInformationProtection, use:

{
  kind = "MicrosoftPurviewInformationProtection"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatIntelligence, use:

{
  kind = "MicrosoftThreatIntelligence"
  properties = {
    dataTypes = {
      microsoftEmergingThreatFeed = {
        lookbackPeriod = "string"
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For MicrosoftThreatProtection, use:

{
  kind = "MicrosoftThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      incidents = {
        state = "string"
      }
    }
    filteredProviders = {
      alerts = [
        "string"
      ]
    }
    tenantId = "string"
  }
}

For Office365, use:

{
  kind = "Office365"
  properties = {
    dataTypes = {
      exchange = {
        state = "string"
      }
      sharePoint = {
        state = "string"
      }
      teams = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For Office365Project, use:

{
  kind = "Office365Project"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeATP, use:

{
  kind = "OfficeATP"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficeIRM, use:

{
  kind = "OfficeIRM"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For OfficePowerBI, use:

{
  kind = "OfficePowerBI"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }
}

For PurviewAudit, use:

{
  kind = "PurviewAudit"
  properties = {
    connectorDefinitionName = "string"
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    sourceType = "string"
    tenantId = "string"
  }
}

For RestApiPoller, use:

{
  kind = "RestApiPoller"
  properties = {
    addOnAttributes = {
      {customized property} = "string"
    }
    auth = {
      type = "string"
      // For remaining properties, see CcpAuthConfig objects
    }
    connectorDefinitionName = "string"
    dataType = "string"
    dcrConfig = {
      dataCollectionEndpoint = "string"
      dataCollectionRuleImmutableId = "string"
      streamName = "string"
    }
    isActive = bool
    paging = {
      pageSize = int
      pageSizeParameterName = "string"
      pagingType = "string"
    }
    request = {
      apiEndpoint = "string"
      endTimeAttributeName = "string"
      headers = {
        {customized property} = "string"
      }
      httpMethod = "string"
      isPostPayloadJson = bool
      queryParameters = {
        {customized property} = ?
      }
      queryParametersTemplate = "string"
      queryTimeFormat = "string"
      queryTimeIntervalAttributeName = "string"
      queryTimeIntervalDelimiter = "string"
      queryTimeIntervalPrepend = "string"
      queryWindowInMin = int
      rateLimitQPS = int
      retryCount = int
      startTimeAttributeName = "string"
      timeoutInSeconds = int
    }
    response = {
      compressionAlgo = "string"
      convertChildPropertiesToArray = bool
      csvDelimiter = "string"
      csvEscape = "string"
      eventsJsonPaths = [
        "string"
      ]
      format = "string"
      hasCsvBoundary = bool
      hasCsvHeader = bool
      isGzipCompressed = bool
      successStatusJsonPath = "string"
      successStatusValue = "string"
    }
  }
}

For ThreatIntelligence, use:

{
  kind = "ThreatIntelligence"
  properties = {
    dataTypes = {
      indicators = {
        state = "string"
      }
    }
    tenantId = "string"
    tipLookbackPeriod = "string"
  }
}

For ThreatIntelligenceTaxii, use:

{
  kind = "ThreatIntelligenceTaxii"
  properties = {
    collectionId = "string"
    dataTypes = {
      taxiiClient = {
        state = "string"
      }
    }
    friendlyName = "string"
    password = "string"
    pollingFrequency = "string"
    taxiiLookbackPeriod = "string"
    taxiiServer = "string"
    tenantId = "string"
    userName = "string"
    workspaceId = "string"
  }
}

Property values

AADDataConnector

Name	Description	Value
kind	The data connector kind	'AzureActiveDirectory' (required)
properties	AADIP (Azure Active Directory Identity Protection) data connector properties.	AADDataConnectorProperties

AADDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AatpDataConnector

Name	Description	Value
kind	The data connector kind	'AzureAdvancedThreatProtection' (required)
properties	AATP (Azure Advanced Threat Protection) data connector properties.	AatpDataConnectorProperties

AatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

AlertsDataTypeOfDataConnector

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)

ApiKeyAuthModel

Name	Description	Value
apiKey	API Key for the user secret key credential	string (required)
apiKeyIdentifier	API Key Identifier	string
apiKeyName	API Key name	string (required)
isApiKeyInPostPayload	Flag to indicate if API key is set in HTTP POST payload	bool
type	The auth type	'APIKey' (required)

ApiPollingParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties
pollingConfig	Config to describe the polling instructions	CodelessConnectorPollingConfigProperties

ASCDataConnector

Name	Description	Value
kind	The data connector kind	'AzureSecurityCenter' (required)
properties	ASC (Azure Security Center) data connector properties.	ASCDataConnectorProperties

ASCDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

Availability

Name	Description	Value
isPreview	Set connector as preview	bool
status	The connector Availability Status	'1'

AWSAuthModel

Name	Description	Value
externalId	AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'	string
roleArn	AWS STS assume role ARN	string (required)
type	The auth type	'AWS' (required)

AwsCloudTrailDataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesCloudTrail' (required)
properties	Amazon Web Services CloudTrail data connector properties.	AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsCloudTrailDataConnectorProperties

Name	Description	Value
awsRoleArn	The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.	string
dataTypes	The available data types for the connector.	AwsCloudTrailDataConnectorDataTypes (required)

AwsS3DataConnector

Name	Description	Value
kind	The data connector kind	'AmazonWebServicesS3' (required)
properties	Amazon Web Services S3 data connector properties.	AwsS3DataConnectorProperties

AwsS3DataConnectorDataTypes

Name	Description	Value
logs	Logs data type.	AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

AwsS3DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AwsS3DataConnectorDataTypes (required)
destinationTable	The logs destination table name in LogAnalytics.	string (required)
roleArn	The Aws Role Arn that is used to access the Aws account.	string (required)
sqsUrls	The AWS sqs urls for the connector.	string[] (required)

BasicAuthModel

Name	Description	Value
password	The password	string (required)
type	The auth type	'Basic' (required)
userName	The user name.	string (required)

CcpAuthConfig

Name	Description	Value
type	Set to 'APIKey' for type ApiKeyAuthModel. Set to 'AWS' for type AWSAuthModel. Set to 'Basic' for type BasicAuthModel. Set to 'GCP' for type GCPAuthModel. Set to 'GitHub' for type GitHubAuthModel. Set to 'JwtToken' for type JwtAuthModel. Set to 'None' for type NoneAuthModel. Set to 'OAuth2' for type OAuthModel. Set to 'Oracle' for type OracleAuthModel. Set to 'ServiceBus' for type GenericBlobSbsAuthModel. Set to 'Session' for type SessionAuthModel.	'APIKey' 'AWS' 'Basic' 'GCP' 'GitHub' 'JwtToken' 'None' 'OAuth2' 'Oracle' 'ServiceBus' 'Session' (required)

CcpResponseConfig

Name	Description	Value
compressionAlgo	The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.	string
convertChildPropertiesToArray	The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.	bool
csvDelimiter	The csv delimiter, in case the response format is CSV.	string
csvEscape	The character used to escape characters in CSV.	string Constraints: Min length = 1 Max length = 1
eventsJsonPaths	The json paths, '$' char is the json root.	string[] (required)
format	The response format. possible values are json,csv,xml	string
hasCsvBoundary	The value indicating whether the response has CSV boundary in case the response in CSV format.	bool
hasCsvHeader	The value indicating whether the response has headers in case the response in CSV format.	bool
isGzipCompressed	The value indicating whether the remote server support Gzip and we should expect Gzip response.	bool
successStatusJsonPath	The value where the status message/code should appear in the response.	string
successStatusValue	The status value.	string

CodelessApiPollingDataConnector

Name	Description	Value
kind	The data connector kind	'APIPolling' (required)
properties	Codeless poling data connector properties	ApiPollingParameters

CodelessConnectorPollingAuthProperties

Name	Description	Value
apiKeyIdentifier	A prefix send in the header before the actual token	string
apiKeyName	The header name which the token is sent with	string
authorizationEndpoint	The endpoint used to authorize the user, used in Oauth 2.0 flow	string
authorizationEndpointQueryParameters	The query parameters used in authorization request, used in Oauth 2.0 flow	any
authType	The authentication type	string (required)
flowName	Describes the flow name, for example 'AuthCode' for Oauth 2.0	string
isApiKeyInPostPayload	Marks if the key should sent in header	string
isClientSecretInHeader	Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow	bool
redirectionEndpoint	The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow	string
scope	The OAuth token scope	string
tokenEndpoint	The endpoint used to issue a token, used in Oauth 2.0 flow	string
tokenEndpointHeaders	The query headers used in token request, used in Oauth 2.0 flow	any
tokenEndpointQueryParameters	The query parameters used in token request, used in Oauth 2.0 flow	any

CodelessConnectorPollingConfigProperties

Name	Description	Value
auth	Describe the authentication type of the poller	CodelessConnectorPollingAuthProperties (required)
isActive	The poller active status	bool
paging	Describe the poll request paging config of the poller	CodelessConnectorPollingPagingProperties
request	Describe the poll request config parameters of the poller	CodelessConnectorPollingRequestProperties (required)
response	Describe the response config parameters of the poller	CodelessConnectorPollingResponseProperties

CodelessConnectorPollingPagingProperties

Name	Description	Value
nextPageParaName	Defines the name of a next page attribute	string
nextPageTokenJsonPath	Defines the path to a next page token JSON	string
pageCountAttributePath	Defines the path to a page count attribute	string
pageSize	Defines the paging size	int
pageSizeParaName	Defines the name of the page size parameter	string
pageTimeStampAttributePath	Defines the path to a paging time stamp attribute	string
pageTotalCountAttributePath	Defines the path to a page total count attribute	string
pagingType	Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp'	string (required)
searchTheLatestTimeStampFromEventsList	Determines whether to search for the latest time stamp in the events list	string

CodelessConnectorPollingRequestProperties

Name	Description	Value
apiEndpoint	Describe the endpoint we should pull the data from	string (required)
endTimeAttributeName	This will be used the query events from the end of the time window	string
headers	Describe the headers sent in the poll request	any
httpMethod	The http method type we will use in the poll request, GET or POST	string (required)
queryParameters	Describe the query parameters sent in the poll request	any
queryParametersTemplate	For advanced scenarios for example user name/password embedded in nested JSON payload	string
queryTimeFormat	The time format will be used the query events in a specific window	string (required)
queryWindowInMin	The window interval we will use the pull the data	int (required)
rateLimitQps	Defines the rate limit QPS	int
retryCount	Describe the amount of time we should try and poll the data in case of failure	int
startTimeAttributeName	This will be used the query events from a start of the time window	string
timeoutInSeconds	The number of seconds we will consider as a request timeout	int

CodelessConnectorPollingResponseProperties

Name	Description	Value
eventsJsonPaths	Describes the path we should extract the data in the response	string[] (required)
isGzipCompressed	Describes if the data in the response is Gzip	bool
successStatusJsonPath	Describes the path we should extract the status code in the response	string
successStatusValue	Describes the path we should extract the status value in the response	string

CodelessParameters

Name	Description	Value
connectorUiConfig	Config to describe the instructions blade	CodelessUiConnectorConfigProperties

CodelessUiConnectorConfigProperties

Name	Description	Value
availability	Connector Availability Status	Availability (required)
connectivityCriteria	Define the way the connector check connectivity	CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem[] (required)
customImage	An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery	string
dataTypes	Data types to check for last data received	CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown	Connector description	string (required)
graphQueries	The graph query to show the current data status	CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName	Name of the table the connector will insert the data to	string (required)
instructionSteps	Instruction steps to enable the connector	CodelessUiConnectorConfigPropertiesInstructionStepsItem[] (required)
permissions	Permissions required for the connector	Permissions (required)
publisher	Connector publisher name	string (required)
sampleQueries	The sample queries for the connector	CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title	Connector blade title	string (required)

CodelessUiConnectorConfigPropertiesConnectivityCriteriaItem

Name	Description	Value
type	type of connectivity	'IsConnectedQuery'
value	Queries for checking connectivity	string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name	Description	Value
lastDataReceivedQuery	Query for indicate last data received	string
name	Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder	string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name	Description	Value
baseQuery	The base query for the graph	string
legend	The legend for the graph	string
metricName	the metric that the query is checking	string

CodelessUiConnectorConfigPropertiesInstructionStepsItem

Name	Description	Value
description	Instruction step description	string
instructions	Instruction step details	InstructionStepsInstructionsItem[]
title	Instruction step title	string

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name	Description	Value
description	The sample query description	string
query	the sample query	string

CodelessUiDataConnector

Name	Description	Value
kind	The data connector kind	'GenericUI' (required)
properties	Codeless UI data connector properties	CodelessParameters

DataConnectorDataTypeCommon

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

DCRConfiguration

Name	Description	Value
dataCollectionEndpoint	Represents the data collection ingestion endpoint in log analytics.	string (required)
dataCollectionRuleImmutableId	The data collection rule immutable id, the rule defines the transformation and data destination.	string (required)
streamName	The stream we are sending the data to.	string (required)

Dynamics365DataConnector

Name	Description	Value
kind	The data connector kind	'Dynamics365' (required)
properties	Dynamics365 data connector properties.	Dynamics365DataConnectorProperties

Dynamics365DataConnectorDataTypes

Name	Description	Value
dynamics365CdsActivities	Common Data Service data type connection.	Dynamics365DataConnectorDataTypesDynamics365CdsActivities (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActivities

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Dynamics365DataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Dynamics365DataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

GCPAuthModel

Name	Description	Value
projectNumber	GCP Project Number	string (required)
serviceAccountEmail	GCP Service Account Email	string (required)
type	The auth type	'GCP' (required)
workloadIdentityProviderId	GCP Workload Identity Provider ID	string (required)

GCPAuthProperties

Name	Description	Value
projectNumber	The GCP project number.	string (required)
serviceAccountEmail	The service account that is used to access the GCP project.	string (required)
workloadIdentityProviderId	The workload identity provider id that is used to gain access to the GCP project.	string (required)

GCPDataConnector

Name	Description	Value
kind	The data connector kind	'GCP' (required)
properties	Google Cloud Platform data connector properties.	GCPDataConnectorProperties

GCPDataConnectorProperties

Name	Description	Value
auth	The auth section of the connector.	GCPAuthProperties (required)
connectorDefinitionName	The name of the connector definition that represents the UI config.	string (required)
dcrConfig	The configuration of the destination of the data.	DCRConfiguration
request	The request section of the connector.	GCPRequestProperties (required)

GCPRequestProperties

Name	Description	Value
projectId	The GCP project id.	string (required)
subscriptionNames	The GCP pub/sub subscription names.	string[] (required)

GenericBlobSbsAuthModel

Name	Description	Value
credentialsConfig	Credentials for service bus namespace, keyvault uri for access key	GenericBlobSbsAuthModelCredentialsConfig
storageAccountCredentialsConfig	Credentials for storage account, keyvault uri for access key	GenericBlobSbsAuthModelStorageAccountCredentialsConfig
type	The auth type	'ServiceBus' (required)

GenericBlobSbsAuthModelCredentialsConfig

Name	Description	Value

GenericBlobSbsAuthModelStorageAccountCredentialsConfig

Name	Description	Value

GitHubAuthModel

Name	Description	Value
installationId	The GitHubApp auth installation id.	string
type	The auth type	'GitHub' (required)

InstructionStepsInstructionsItem

Name	Description	Value
parameters	The parameters for the setting	any
type	The kind of the setting	'CopyableLabel' 'InfoMessage' 'InstructionStepsGroup' (required)

IoTDataConnector

Name	Description	Value
kind	The data connector kind	'IOT' (required)
properties	IoT data connector properties.	IoTDataConnectorProperties

IoTDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
subscriptionId	The subscription id to connect to, and get the data from.	string

JwtAuthModel

Name	Description	Value
headers	The custom headers we want to add once we send request to token endpoint.	JwtAuthModelHeaders
isCredentialsInHeaders	Flag indicating whether we want to send the user name and password to token endpoint in the headers.	bool
isJsonRequest	Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).	bool
password	The password	JwtAuthModelPassword (required)
queryParameters	The custom query parameter we want to add once we send request to token endpoint.	JwtAuthModelQueryParameters
requestTimeoutInSeconds	Request timeout in seconds.	int Constraints: Max value = 180
tokenEndpoint	Token endpoint to request JWT	string (required)
type	The auth type	'JwtToken' (required)
userName	The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.	JwtAuthModelUserName (required)

JwtAuthModelHeaders

Name	Description	Value

JwtAuthModelPassword

Name	Description	Value

JwtAuthModelQueryParameters

Name	Description	Value

JwtAuthModelUserName

Name	Description	Value

McasDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftCloudAppSecurity' (required)
properties	MCAS (Microsoft Cloud App Security) data connector properties.	McasDataConnectorProperties

McasDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type connection.	DataConnectorDataTypeCommon (required)
discoveryLogs	Discovery log data type connection.	DataConnectorDataTypeCommon

McasDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	McasDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MdatpDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftDefenderAdvancedThreatProtection' (required)
properties	MDATP (Microsoft Defender Advanced Threat Protection) data connector properties.	MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

Microsoft.SecurityInsights/dataConnectors

Name	Description	Value
etag	Etag of the azure resource	string
kind	Set to 'APIPolling' for type CodelessApiPollingDataConnector. Set to 'AmazonWebServicesCloudTrail' for type AwsCloudTrailDataConnector. Set to 'AmazonWebServicesS3' for type AwsS3DataConnector. Set to 'AzureActiveDirectory' for type AADDataConnector. Set to 'AzureAdvancedThreatProtection' for type AatpDataConnector. Set to 'AzureSecurityCenter' for type ASCDataConnector. Set to 'Dynamics365' for type Dynamics365DataConnector. Set to 'GCP' for type GCPDataConnector. Set to 'GenericUI' for type CodelessUiDataConnector. Set to 'IOT' for type IoTDataConnector. Set to 'MicrosoftCloudAppSecurity' for type McasDataConnector. Set to 'MicrosoftDefenderAdvancedThreatProtection' for type MdatpDataConnector. Set to 'MicrosoftPurviewInformationProtection' for type MicrosoftPurviewInformationProtectionDataConnector. Set to 'MicrosoftThreatIntelligence' for type MstiDataConnector. Set to 'MicrosoftThreatProtection' for type MTPDataConnector. Set to 'Office365' for type OfficeDataConnector. Set to 'Office365Project' for type Office365ProjectDataConnector. Set to 'OfficeATP' for type OfficeATPDataConnector. Set to 'OfficeIRM' for type OfficeIRMDataConnector. Set to 'OfficePowerBI' for type OfficePowerBIDataConnector. Set to 'PurviewAudit' for type PurviewAuditDataConnector. Set to 'RestApiPoller' for type RestApiPollerDataConnector. Set to 'ThreatIntelligence' for type TIDataConnector. Set to 'ThreatIntelligenceTaxii' for type TiTaxiiDataConnector.	'AmazonWebServicesCloudTrail' 'AmazonWebServicesS3' 'APIPolling' 'AzureActiveDirectory' 'AzureAdvancedThreatProtection' 'AzureSecurityCenter' 'Dynamics365' 'GCP' 'GenericUI' 'IOT' 'MicrosoftCloudAppSecurity' 'MicrosoftDefenderAdvancedThreatProtection' 'MicrosoftPurviewInformationProtection' 'MicrosoftThreatIntelligence' 'MicrosoftThreatProtection' 'Office365' 'Office365Project' 'OfficeATP' 'OfficeIRM' 'OfficePowerBI' 'PurviewAudit' 'RestApiPoller' 'ThreatIntelligence' 'ThreatIntelligenceTaxii' (required)
name	The resource name	string (required)
parent_id	The ID of the resource to apply this extension resource to.	string (required)
type	The resource type	"Microsoft.SecurityInsights/dataConnectors@2024-10-01-preview"

MicrosoftPurviewInformationProtectionConnectorDataTypes

Name	Description	Value
logs	Logs data type.	MicrosoftPurviewInformationProtectionConnectorDataTypesLogs (required)

MicrosoftPurviewInformationProtectionConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MicrosoftPurviewInformationProtectionDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftPurviewInformationProtection' (required)
properties	Microsoft Purview Information Protection data connector properties.	MicrosoftPurviewInformationProtectionDataConnectorProperties

MicrosoftPurviewInformationProtectionDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MicrosoftPurviewInformationProtectionConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MstiDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatIntelligence' (required)
properties	Microsoft Threat Intelligence data connector properties.	MstiDataConnectorProperties

MstiDataConnectorDataTypes

Name	Description	Value
microsoftEmergingThreatFeed	Data type for Microsoft Threat Intelligence Platforms data connector.	MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFeed

Name	Description	Value
lookbackPeriod	The lookback period for the feed to be imported.	string (required)
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MstiDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MstiDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

MTPDataConnector

Name	Description	Value
kind	The data connector kind	'MicrosoftThreatProtection' (required)
properties	MTP (Microsoft Threat Protection) data connector properties.	MTPDataConnectorProperties

MTPDataConnectorDataTypes

Name	Description	Value
alerts	Alerts data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesAlerts
incidents	Incidents data type for Microsoft Threat Protection Platforms data connector.	MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesAlerts

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorDataTypesIncidents

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

MTPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	MTPDataConnectorDataTypes (required)
filteredProviders	The available filtered providers for the connector.	MtpFilteredProviders
tenantId	The tenant id to connect to, and get the data from.	string (required)

MtpFilteredProviders

Name	Description	Value
alerts	Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state.	String array containing any of: 'microsoftDefenderForCloudApps' 'microsoftDefenderForIdentity' (required)

NoneAuthModel

Name	Description	Value
type	The auth type	'None' (required)

OAuthModel

Name	Description	Value
accessTokenPrepend	Access token prepend. Default is 'Bearer'.	string
authorizationCode	The user's authorization code.	string
authorizationEndpoint	The authorization endpoint.	string
authorizationEndpointHeaders	The authorization endpoint headers.	OAuthModelAuthorizationEndpointHeaders
authorizationEndpointQueryParameters	The authorization endpoint query parameters.	OAuthModelAuthorizationEndpointQueryParameters
clientId	The Application (client) ID that the OAuth provider assigned to your app.	string (required)
clientSecret	The Application (client) secret that the OAuth provider assigned to your app.	string (required)
grantType	The grant type, usually will be 'authorization code'.	string (required)
isCredentialsInHeaders	Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.	bool
isJwtBearerFlow	A value indicating whether it's a JWT flow.	bool
redirectUri	The Application redirect url that the user config in the OAuth provider.	string
scope	The Application (client) Scope that the OAuth provider assigned to your app.	string
tokenEndpoint	The token endpoint. Defines the OAuth2 refresh token.	string (required)
tokenEndpointHeaders	The token endpoint headers.	OAuthModelTokenEndpointHeaders
tokenEndpointQueryParameters	The token endpoint query parameters.	OAuthModelTokenEndpointQueryParameters
type	The auth type	'OAuth2' (required)

OAuthModelAuthorizationEndpointHeaders

Name	Description	Value

OAuthModelAuthorizationEndpointQueryParameters

Name	Description	Value

OAuthModelTokenEndpointHeaders

Name	Description	Value

OAuthModelTokenEndpointQueryParameters

Name	Description	Value

Office365ProjectConnectorDataTypes

Name	Description	Value
logs	Logs data type.	Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

Office365ProjectDataConnector

Name	Description	Value
kind	The data connector kind	'Office365Project' (required)
properties	Office Microsoft Project data connector properties.	Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	Office365ProjectConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeATPDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeATP' (required)
properties	OfficeATP (Office 365 Advanced Threat Protection) data connector properties.	OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeDataConnector

Name	Description	Value
kind	The data connector kind	'Office365' (required)
properties	Office data connector properties.	OfficeDataConnectorProperties

OfficeDataConnectorDataTypes

Name	Description	Value
exchange	Exchange data type connection.	OfficeDataConnectorDataTypesExchange (required)
sharePoint	SharePoint data type connection.	OfficeDataConnectorDataTypesSharePoint (required)
teams	Teams data type connection.	OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficeDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficeDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficeIRMDataConnector

Name	Description	Value
kind	The data connector kind	'OfficeIRM' (required)
properties	OfficeIRM (Microsoft Insider Risk Management) data connector properties.	OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	AlertsDataTypeOfDataConnector
tenantId	The tenant id to connect to, and get the data from.	string (required)

OfficePowerBIConnectorDataTypes

Name	Description	Value
logs	Logs data type.	OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

OfficePowerBIDataConnector

Name	Description	Value
kind	The data connector kind	'OfficePowerBI' (required)
properties	Office Microsoft PowerBI data connector properties.	OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	OfficePowerBIConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)

OracleAuthModel

Name	Description	Value
pemFile	Content of the PRM file	string (required)
publicFingerprint	Public Fingerprint	string (required)
tenantId	Oracle tenant ID	string (required)
type	The auth type	'Oracle' (required)
userId	Oracle user ID	string (required)

Permissions

Name	Description	Value
customs	Customs permissions required for the connector	PermissionsCustomsItem[]
resourceProvider	Resource provider permissions required for the connector	PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name	Description	Value
description	Customs permissions description	string
name	Customs permissions name	string

PermissionsResourceProviderItem

Name	Description	Value
permissionsDisplayText	Permission description text	string
provider	Provider name	'microsoft.aadiam/diagnosticSettings' 'Microsoft.Authorization/policyAssignments' 'Microsoft.OperationalInsights/solutions' 'Microsoft.OperationalInsights/workspaces' 'Microsoft.OperationalInsights/workspaces/datasources' 'Microsoft.OperationalInsights/workspaces/sharedKeys'
providerDisplayName	Permission provider display name	string
requiredPermissions	Required permissions for the connector	RequiredPermissions
scope	Permission provider scope	'ResourceGroup' 'Subscription' 'Workspace'

PurviewAuditConnectorDataTypes

Name	Description	Value
logs	Logs data type.	PurviewAuditConnectorDataTypesLogs (required)

PurviewAuditConnectorDataTypesLogs

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

PurviewAuditDataConnector

Name	Description	Value
kind	The data connector kind	'PurviewAudit' (required)
properties	PurviewAudit data connector properties.	PurviewAuditDataConnectorProperties

PurviewAuditDataConnectorProperties

Name	Description	Value
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string
dataTypes	The available data types for the connector.	PurviewAuditConnectorDataTypes (required)
dcrConfig	The DCR related properties.	DCRConfiguration
sourceType	The source type indicates which kind of data is relevant for this connector.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)

RequiredPermissions

Name	Description	Value
action	action permission	bool
delete	delete permission	bool
read	read permission	bool
write	write permission	bool

RestApiPollerDataConnector

Name	Description	Value
kind	The data connector kind	'RestApiPoller' (required)
properties	Rest Api Poller data connector properties.	RestApiPollerDataConnectorProperties

RestApiPollerDataConnectorProperties

Name	Description	Value
addOnAttributes	The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.	RestApiPollerDataConnectorPropertiesAddOnAttributes
auth	The a authentication model.	CcpAuthConfig (required)
connectorDefinitionName	The connector definition name (the dataConnectorDefinition resource id).	string (required)
dataType	The Log Analytics table destination.	string
dcrConfig	The DCR related properties.	DCRConfiguration
isActive	Indicates whether the connector is active or not.	bool
paging	The paging configuration.	RestApiPollerRequestPagingConfig
request	The request configuration.	RestApiPollerRequestConfig (required)
response	The response configuration.	CcpResponseConfig

RestApiPollerDataConnectorPropertiesAddOnAttributes

Name	Description	Value

RestApiPollerRequestConfig

Name	Description	Value
apiEndpoint	The API endpoint.	string (required)
endTimeAttributeName	The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName	string
headers	The header for the request for the remote server.	RestApiPollerRequestConfigHeaders
httpMethod	The HTTP method, default value GET.	'DELETE' 'GET' 'POST' 'PUT'
isPostPayloadJson	Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).	bool
queryParameters	The HTTP query parameters to RESTful API.	RestApiPollerRequestConfigQueryParameters
queryParametersTemplate	the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.	string
queryTimeFormat	The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.	string
queryTimeIntervalAttributeName	The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter	string
queryTimeIntervalDelimiter	The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.	string
queryTimeIntervalPrepend	The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.	string
queryWindowInMin	The query window in minutes for the request.	int
rateLimitQPS	The Rate limit queries per second for the request..	int
retryCount	The retry count.	int
startTimeAttributeName	The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.	string
timeoutInSeconds	The timeout in seconds.	int

RestApiPollerRequestConfigHeaders

Name	Description	Value

RestApiPollerRequestConfigQueryParameters

Name	Description	Value

RestApiPollerRequestPagingConfig

Name	Description	Value
pageSize	Page size	int
pageSizeParameterName	Page size parameter name	string
pagingType	Type of paging	'CountBasedPaging' 'LinkHeader' 'NextPageToken' 'NextPageUrl' 'Offset' 'PersistentLinkHeader' 'PersistentToken' (required)

SessionAuthModel

Name	Description	Value
headers	HTTP request headers to session service endpoint.	SessionAuthModelHeaders
isPostPayloadJson	Indicating whether API key is set in HTTP POST payload.	bool
password	The password attribute name.	SessionAuthModelPassword (required)
queryParameters	Query parameters to session service endpoint.	SessionAuthModelQueryParameters
sessionIdName	Session id attribute name from HTTP response header.	string
sessionLoginRequestUri	HTTP request URL to session service endpoint.	string
sessionTimeoutInMinutes	Session timeout in minutes.	int
type	The auth type	'Session' (required)
userName	The user name attribute key value.	SessionAuthModelUserName (required)

SessionAuthModelHeaders

Name	Description	Value

SessionAuthModelPassword

Name	Description	Value

SessionAuthModelQueryParameters

Name	Description	Value

SessionAuthModelUserName

Name	Description	Value

TIDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligence' (required)
properties	TI (Threat Intelligence) data connector properties.	TIDataConnectorProperties

TIDataConnectorDataTypes

Name	Description	Value
indicators	Data type for indicators connection.	TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TIDataConnectorProperties

Name	Description	Value
dataTypes	The available data types for the connector.	TIDataConnectorDataTypes (required)
tenantId	The tenant id to connect to, and get the data from.	string (required)
tipLookbackPeriod	The lookback period for the feed to be imported.	string

TiTaxiiDataConnector

Name	Description	Value
kind	The data connector kind	'ThreatIntelligenceTaxii' (required)
properties	Threat intelligence TAXII data connector properties.	TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorDataTypes

Name	Description	Value
taxiiClient	Data type for TAXII connector.	TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name	Description	Value
state	Describe whether this data type connection is enabled or not.	'Disabled' 'Enabled' (required)

TiTaxiiDataConnectorProperties

Name	Description	Value
collectionId	The collection id of the TAXII server.	string
dataTypes	The available data types for Threat Intelligence TAXII data connector.	TiTaxiiDataConnectorDataTypes (required)
friendlyName	The friendly name for the TAXII server.	string
password	The password for the TAXII server.	string
pollingFrequency	The polling frequency for the TAXII server.	'OnceADay' 'OnceAMinute' 'OnceAnHour' (required)
taxiiLookbackPeriod	The lookback period for the TAXII server.	string
taxiiServer	The API root for the TAXII server.	string
tenantId	The tenant id to connect to, and get the data from.	string (required)
userName	The userName for the TAXII server.	string
workspaceId	The workspace id.	string