Data Connectors - Get
Gets a data connector.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}?api-version=2024-01-01-previewURI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
data
|
path | True |
string |
Connector ID |
|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string |
The ID of the target subscription. |
|
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
DataConnector:
|
OK, Operation successfully completed |
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get a APIPolling data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8",
"name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8",
"etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "APIPolling",
"properties": {
"connectorUiConfig": {
"title": "GitHub Enterprise Audit Log",
"publisher": "GitHub",
"descriptionMarkdown": "The GitHub audit log connector provides the capability to ingest GitHub logs into Azure Sentinel. By connecting GitHub audit logs into Azure Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.",
"customImage": "The image connector content",
"graphQueriesTableName": "GitHubAuditLogPolling_CL",
"graphQueries": [
{
"metricName": "Total events received",
"legend": "GitHub audit log events",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "{{graphQueriesTableName}}\n | take 10 <change>"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "SentinelKindsV2",
"value": []
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "GitHub API personal token Key",
"description": "You need access to GitHub personal token, the key should have 'admin:org' scope"
}
]
},
"instructionSteps": [
{
"title": "Connect GitHub Enterprise Audit Log to Azure Sentinel",
"description": "Enable GitHub audit Logs. \n Follow [this](https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/creating-a-personal-access-token) to create or find your personal key",
"instructions": [
{
"parameters": {
"enable": "true",
"userRequestPlaceHoldersInput": [
{
"displayText": "Organization Name",
"requestObjectKey": "apiEndpoint",
"placeHolderName": "{{placeHolder1}}",
"placeHolderValue": ""
}
]
},
"type": "APIKey"
}
]
}
]
},
"pollingConfig": {
"auth": {
"authType": "APIKey",
"apiKeyIdentifier": "token",
"apiKeyName": "Authorization"
},
"request": {
"apiEndpoint": "https://api.github.com/organizations/{{placeHolder1}}/audit-log",
"rateLimitQps": 50,
"queryWindowInMin": 15,
"httpMethod": "Get",
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"retryCount": 2,
"timeoutInSeconds": 60,
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba"
},
"queryParameters": {
"phrase": "created:{_QueryWindowStartTime}..{_QueryWindowEndTime}"
}
},
"paging": {
"pagingType": "LinkHeader",
"pageSizeParaName": "per_page"
},
"response": {
"eventsJsonPaths": [
"$"
]
}
}
}
}Get a ASC data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12",
"name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "AzureSecurityCenter",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get a Dynamics365 data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660",
"name": "c2541efb-c9a6-47fe-9501-87d1017d1512",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "Dynamics365",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"dynamics365CdsActivities": {
"state": "Enabled"
}
}
}
}Get a GCP data connector
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/GCP_fce27b90-d6f5-4d30-991a-af509a2b50a1?api-version=2024-01-01-preview
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/GCP_afef3743-0c88-469c-84ff-ca2e87dc1e48",
"name": "GCP_fce27b90-d6f5-4d30-991a-af509a2b50a1",
"type": "Microsoft.SecurityInsights/dataConnectors",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"kind": "GCP",
"properties": {
"connectorDefinitionName": "GcpConnector",
"auth": {
"serviceAccountEmail": "sentinel-service-account@project-id.iam.gserviceaccount.com",
"projectNumber": "123456789012",
"workloadIdentityProviderId": "sentinel-identity-provider",
"type": "GCP"
},
"request": {
"projectId": "project-id",
"subscriptionNames": [
"sentinel-subscription"
]
}
}
}Get a GenericUI data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/316ec55e-7138-4d63-ab18-90c8a60fd1c8",
"name": "316ec55e-7138-4d63-ab18-90c8a60fd1c8",
"etag": "\"1a00b074-0000-0100-0000-606ef5bd0000\"",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "GenericUI",
"properties": {
"connectorUiConfig": {
"title": "Qualys Vulnerability Management (CCP DEMO)",
"publisher": "Qualys",
"descriptionMarkdown": "The [Qualys Vulnerability Management (VM)](https://www.qualys.com/apps/vulnerability-management/) data connector provides the capability to ingest vulnerability host detection data into Azure Sentinel through the Qualys API. The connector provides visibility into host detection data from vulerability scans. This connector provides Azure Sentinel the capability to view dashboards, create custom alerts, and improve investigation ",
"customImage": "The image connector content",
"graphQueriesTableName": "QualysHostDetection_CL",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "{{graphQueriesTableName}}",
"baseQuery": "{{graphQueriesTableName}}"
}
],
"sampleQueries": [
{
"description": "Top 10 Vulerabilities detected",
"query": "{{graphQueriesTableName}}\n | mv-expand todynamic(Detections_s)\n | extend Vulnerability = tostring(Detections_s.Results)\n | summarize count() by Vulnerability\n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "IsConnectedQuery",
"value": [
"{{graphQueriesTableName}}\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "Qualys API Key",
"description": "A Qualys VM API username and password is required. [See the documentation to learn more about Qualys VM API](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf)."
}
]
},
"instructionSteps": [
{
"title": "",
"description": ">**NOTE:** This connector uses Azure Functions to connect to Qualys VM to pull its logs into Azure Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"title": "",
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"title": "",
"description": "**STEP 1 - Configuration steps for the Qualys VM API**\n\n1. Log into the Qualys Vulnerability Management console with an administrator account, select the **Users** tab and the **Users** subtab. \n2. Click on the **New** drop-down menu and select **Users..**\n3. Create a username and password for the API account. \n4. In the **User Roles** tab, ensure the account role is set to **Manager** and access is allowed to **GUI** and **API**\n4. Log out of the administrator account and log into the console with the new API credentials for validation, then log out of the API account. \n5. Log back into the console using an administrator account and modify the API accounts User Roles, removing access to **GUI**. \n6. Save all changes."
},
{
"title": "",
"description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Qualys VM connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Qualys VM API Authorization Key(s), readily available.",
"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
},
{
"title": "Option 1 - Azure Resource Manager (ARM) Template",
"description": "Use this method for automated deployment of the Qualys VM connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[](https://aka.ms/sentinelqualysvmazuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID**, **Workspace Key**, **API Username**, **API Password** , update the **URI**, and any additional URI **Filter Parameters** (each filter should be separated by an \"&\" symbol, no spaces.) \n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348) -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format. \n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion. \n> - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy."
},
{
"title": "Option 2 - Manual Deployment of Azure Functions",
"description": "Use the following step-by-step instructions to deploy the Quayls VM connector manually with Azure Functions."
},
{
"title": "",
"description": "**1. Create a Function App**\n\n1. From the Azure Portal, navigate to [Function App](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites/kind/functionapp), and select **+ Add**.\n2. In the **Basics** tab, ensure Runtime stack is set to **Powershell Core**. \n3. In the **Hosting** tab, ensure the **Consumption (Serverless)** plan type is selected.\n4. Make other preferrable configuration changes, if needed, then click **Create**."
},
{
"title": "",
"description": "**2. Import Function App Code**\n\n1. In the newly created Function App, select **Functions** on the left pane and click **+ New Function**.\n2. Select **Timer Trigger**.\n3. Enter a unique Function **Name** and leave the default cron schedule of every 5 minutes, then click **Create**.\n5. Click on **Code + Test** on the left pane. \n6. Copy the [Function App Code](https://aka.ms/sentinelqualysvmazurefunctioncode) and paste into the Function App `run.ps1` editor.\n7. Click **Save**."
},
{
"title": "",
"description": "**3. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following seven (7) application settings individually, with their respective string values (case-sensitive): \n\t\tapiUsername\n\t\tapiPassword\n\t\tworkspaceID\n\t\tworkspaceKey\n\t\turi\n\t\tfilterParameters\n\t\ttimeInterval\n> - Enter the URI that corresponds to your region. The complete list of API Server URLs can be [found here](https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf#G4.735348). The `uri` value must follow the following schema: `https://<API Server>/api/2.0/fo/asset/host/vm/detection/?action=list&vm_processed_after=` -- There is no need to add a time suffix to the URI, the Function App will dynamically append the Time Value to the URI in the proper format.\n> - Add any additional filter parameters, for the `filterParameters` variable, that need to be appended to the URI. Each parameter should be seperated by an \"&\" symbol and should not include any spaces.\n> - Set the `timeInterval` (in minutes) to the value of `5` to correspond to the Timer Trigger of every `5` minutes. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly to prevent overlapping data ingestion.\n> - Note: If using Azure Key Vault, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details.\n4. Once all application settings have been entered, click **Save**."
},
{
"title": "",
"description": "**4. Configure the host.json**.\n\nDue to the potentially large amount of Qualys host detection data being ingested, it can cause the execution time to surpass the default Function App timeout of five (5) minutes. Increase the default timeout duration to the maximum of ten (10) minutes, under the Consumption Plan, to allow more time for the Function App to execute.\n\n1. In the Function App, select the Function App Name and select the **App Service Editor** blade.\n2. Click **Go** to open the editor, then select the **host.json** file under the **wwwroot** directory.\n3. Add the line `\"functionTimeout\": \"00:10:00\",` above the `managedDependancy` line \n4. Ensure **SAVED** appears on the top right corner of the editor, then exit the editor.\n\n> NOTE: If a longer timeout duration is required, consider upgrading to an [App Service Plan](https://docs.microsoft.com/azure/azure-functions/functions-scale#timeout)"
}
]
}
}
}Get a IoT data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/d2e5dc7a-f3a2-429d-954b-939fa8c2932e",
"name": "d2e5dc7a-f3a2-429d-954b-939fa8c2932e",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "IOT",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get a MCAS data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42",
"name": "b96d014d-b5c2-4a01-9aba-a8058f629d42",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "MicrosoftCloudAppSecurity",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"alerts": {
"state": "Enabled"
},
"discoveryLogs": {
"state": "Enabled"
}
}
}
}Get a MDATP data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "MicrosoftDefenderAdvancedThreatProtection",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get a MicrosoftPurviewInformationProtection data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "MicrosoftPurviewInformationProtection",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"logs": {
"state": "Enabled"
}
}
}
}Get a MicrosoftThreatIntelligence data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
"name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "MicrosoftThreatIntelligence",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"microsoftEmergingThreatFeed": {
"state": "Enabled",
"lookbackPeriod": "01/01/1970 00:00:00"
}
}
}
}Get a MicrosoftThreatProtection data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
"name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "MicrosoftThreatProtection",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"incidents": {
"state": "Enabled"
},
"alerts": {
"state": "Enabled"
}
},
"filteredProviders": {
"alerts": [
"microsoftDefenderForCloudApps"
]
}
}
}Get a RestApiPoller data connector
Sample request
GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/RestApiPoller_fce27b90-d6f5-4d30-991a-af509a2b50a1?api-version=2024-01-01-preview
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/RestApiPoller_afef3743-0c88-469c-84ff-ca2e87dc1e48",
"name": "RestApiPoller_fce27b90-d6f5-4d30-991a-af509a2b50a1",
"type": "Microsoft.SecurityInsights/dataConnectors",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "RestApiPollerDefinition",
"auth": {
"type": "APIKey",
"apiKey": "6bec40cf957de430a6f1f2baa056b99a4fac9ea0",
"apiKeyName": "X-Cisco-Meraki-API-Key"
},
"dcrConfig": {
"streamName": "Meraki",
"dataCollectionEndpoint": "data collection Endpoint",
"dataCollectionRuleImmutableId": "data collection rule immutableId"
},
"request": {
"apiEndpoint": "https://api.meraki.com/api/v1/organizations/573083052582915028/networks",
"rateLimitQPS": 10,
"queryWindowInMin": 6,
"httpMethod": "GET",
"queryTimeFormat": "UnixTimestamp",
"startTimeAttributeName": "t0",
"endTimeAttributeName": "t1",
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Accept": "application/json",
"User-Agent": "Scuba"
},
"queryParameters": {
"perPage": 1000
}
},
"paging": {
"pagingType": "LinkHeader"
},
"response": {
"eventsJsonPaths": [
"$"
]
}
}
}Get a TI data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
"name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "ThreatIntelligence",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"tipLookbackPeriod": "2020-01-01T13:00:30.123Z",
"dataTypes": {
"indicators": {
"state": "Enabled"
}
}
}
}Get a TI Taxii data connector.
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c39bb458-02a7-4b3f-b0c8-71a1d2692652",
"name": "c39bb458-02a7-4b3f-b0c8-71a1d2692652",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "ThreatIntelligenceTaxii",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"workspaceId": "8b014a77-4695-4ef4-96bb-6623afb121a2",
"friendlyName": "My TI Taxii Connector",
"taxiiServer": "https://mytaxiiserver.com/taxiing/v2/api",
"collectionId": "e0b1f32d-1188-48f7-a7a3-de71924e4b5e",
"userName": "",
"password": "",
"taxiiLookbackPeriod": "2020-01-01T13:00:30.123Z",
"pollingFrequency": "OnceADay",
"dataTypes": {
"taxiiClient": {
"state": "Enabled"
}
}
}
}Get an AADIP (Azure Active Directory Identity Protection) data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d",
"name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "AzureActiveDirectory",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get an AATP data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44",
"name": "07e42cb3-e658-4e90-801c-efa0f29d3d44",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "AzureAdvancedThreatProtection",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get an Aws S3 data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/afef3743-0c88-469c-84ff-ca2e87dc1e48",
"name": "afef3743-0c88-469c-84ff-ca2e87dc1e48",
"type": "Microsoft.SecurityInsights/dataConnectors",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"kind": "AmazonWebServicesS3",
"properties": {
"destinationTable": "AWSVPCFlow",
"roleArn": "arn:aws:iam::072643944673:role/RoleName",
"sqsUrls": [
"https://sqs.us-west-1.amazonaws.com/111111111111/sqsTestName"
],
"dataTypes": {
"logs": {
"state": "Enabled"
}
}
}
}Get an AwsCloudTrail data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
"name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
"type": "Microsoft.SecurityInsights/dataConnectors",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"kind": "AmazonWebServicesCloudTrail",
"properties": {
"awsRoleArn": "myAwsRoleArn",
"dataTypes": {
"logs": {
"state": "Enabled"
}
}
}
}Get an Office ATP data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660",
"name": "3d3e955e-33eb-401d-89a7-251c81ddd660",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "OfficeATP",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get an Office IRM data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3d3e955e-33eb-401d-89a7-251c81ddd660",
"name": "3d3e955e-33eb-401d-89a7-251c81ddd660",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "OfficeIRM",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"alerts": {
"state": "Enabled"
}
}
}
}Get an Office365 data connector.
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "Office365",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"sharePoint": {
"state": "Enabled"
},
"exchange": {
"state": "Enabled"
},
"teams": {
"state": "Enabled"
}
}
}
}Get an Office365 PowerBI data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "OfficePowerBI",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"logs": {
"state": "Enabled"
}
}
}
}Get an Office365 Project data connector
Sample request
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "Office365Project",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"logs": {
"state": "Enabled"
}
}
}
}Definitions
| Name | Description |
|---|---|
|
AADData |
Represents AADIP (Azure Active Directory Identity Protection) data connector. |
|
AATPData |
Represents AATP (Azure Advanced Threat Protection) data connector. |
| Alerts |
Alerts data type for Microsoft Threat Protection Platforms data connector. |
|
Alerts |
Alerts data type for data connectors. |
|
Api |
Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header. |
|
ASCData |
Represents ASC (Azure Security Center) data connector. |
| Availability |
Connector Availability Status |
|
Availability |
The connector Availability Status |
|
AWSAuth |
Model for API authentication with AWS. |
|
Aws |
Represents Amazon Web Services CloudTrail data connector. |
|
Aws |
The available data types for Amazon Web Services CloudTrail data connector. |
|
AwsS3Data |
Represents Amazon Web Services S3 data connector. |
|
AwsS3Data |
The available data types for Amazon Web Services S3 data connector. |
|
Basic |
Model for API authentication with basic flow - user name + password. |
|
Ccp |
Type of paging |
|
Ccp |
A custom response configuration for a rule. |
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
Codeless |
Represents Codeless API Polling data connector. |
|
Codeless |
Describe the authentication properties needed to successfully authenticate with the server |
|
Codeless |
Config to describe the polling config for API poller connector |
|
Codeless |
Describe the properties needed to make a pagination call |
|
Codeless |
Describe the request properties needed to successfully pull from the server |
|
Codeless |
Describes the response from the external server |
|
Codeless |
Config to describe the instructions blade |
|
Codeless |
Represents Codeless UI data connector. |
|
Connectivity |
Setting for the connector check connectivity |
|
Connectivity |
type of connectivity |
|
created |
The type of identity that created the resource. |
| Customs |
Customs permissions required for the connector |
|
Data |
Common field for data type in data connectors. |
|
Data |
The kind of the data connector |
|
Data |
Data types to check for last data received |
|
Data |
Describe whether this data type connection is enabled or not. |
| DCRConfiguration |
The configuration of the destination of the data. |
|
Dynamics365Cds |
Common Data Service data type connection. |
|
Dynamics365Data |
Represents Dynamics365 data connector. |
|
Dynamics365Data |
The available data types for Dynamics365 data connector. |
| Exchange |
Exchange data type connection. |
|
GCPAuth |
Model for API authentication for all GCP kind connectors. |
|
GCPAuth |
Google Cloud Platform auth section properties. |
|
GCPData |
Represents Google Cloud Platform data connector. |
|
GCPRequest |
Google Cloud Platform request section properties. |
|
Generic |
Model for API authentication for working with service bus or storage account. |
|
Git |
Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens. |
|
Graph |
The graph query to show the current data status |
|
http |
The HTTP method, default value GET. |
| Incidents |
Incidents data type for Microsoft Threat Protection Platforms data connector. |
| Indicators |
Data type for indicators connection. |
| Instructions |
Instruction step details |
|
Instruction |
Instruction steps to enable the connector |
|
Io |
Represents IoT data connector. |
|
Jwt |
Model for API authentication with JWT. Simple exchange between user name + password to access token. |
| Logs |
Logs data type. |
|
MCASData |
Represents MCAS (Microsoft Cloud App Security) data connector. |
|
MCASData |
The available data types for MCAS (Microsoft Cloud App Security) data connector. |
|
MDATPData |
Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. |
|
Microsoft |
Data type for Microsoft Threat Intelligence Platforms data connector. |
|
Microsoft |
The available data types for Microsoft Purview Information Protection data connector. |
|
Microsoft |
Represents Microsoft Purview Information Protection data connector. |
|
MSTIData |
Represents Microsoft Threat Intelligence data connector. |
|
MSTIData |
The available data types for Microsoft Threat Intelligence Platforms data connector. |
|
MTPData |
Represents MTP (Microsoft Threat Protection) data connector. |
|
MTPData |
The available data types for Microsoft Threat Protection Platforms data connector. |
|
Mtp |
Represents the connector's Filtered providers |
|
Mtp |
The available data providers. |
|
None |
Model for API authentication with no authentication method - public API. |
|
OAuth |
Model for API authentication with OAuth2. |
|
Office365Project |
The available data types for Office Microsoft Project data connector. |
|
Office365Project |
Represents Office Microsoft Project data connector. |
|
Office |
Represents OfficeATP (Office 365 Advanced Threat Protection) data connector. |
|
Office |
Represents office data connector. |
|
Office |
The available data types for office data connector. |
|
Office |
Represents OfficeIRM (Microsoft Insider Risk Management) data connector. |
|
Office |
The available data types for Office Microsoft PowerBI data connector. |
|
Office |
Represents Office Microsoft PowerBI data connector. |
|
Oracle |
Model for API authentication for Oracle. |
|
Permission |
Permission provider scope |
| Permissions |
Permissions required for the connector |
|
Polling |
The polling frequency for the TAXII server. |
|
Provider |
Provider name |
|
Required |
Required permissions for the connector |
|
Resource |
Resource provider permissions required for the connector |
|
Rest |
Represents Rest Api Poller data connector. |
|
Rest |
The request configuration. |
|
Rest |
The request paging configuration. |
|
Rest |
Type of paging |
|
Sample |
The sample queries for the connector |
|
Session |
Model for API authentication with session cookie. |
|
Setting |
The kind of the setting |
|
Share |
SharePoint data type connection. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
Taxii |
Data type for TAXII connector. |
| Teams |
Teams data type connection. |
|
TIData |
Represents threat intelligence data connector. |
|
TIData |
The available data types for TI (Threat Intelligence) data connector. |
|
Ti |
Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server |
|
Ti |
The available data types for Threat Intelligence TAXII data connector. |
AADDataConnector
Represents AADIP (Azure Active Directory Identity Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Azure |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AATPDataConnector
Represents AATP (Azure Advanced Threat Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Azure |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
Alerts
Alerts data type for Microsoft Threat Protection Platforms data connector.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
AlertsDataTypeOfDataConnector
Alerts data type for data connectors.
| Name | Type | Description |
|---|---|---|
| alerts |
Alerts data type connection. |
ApiKeyAuthModel
Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header.
| Name | Type | Description |
|---|---|---|
| apiKey |
string |
API Key for the user secret key credential |
| apiKeyIdentifier |
string |
API Key Identifier |
| apiKeyName |
string |
API Key name |
| isApiKeyInPostPayload |
boolean |
Flag to indicate if API key is set in HTTP POST payload |
| type |
string:
APIKey |
The auth type |
ASCDataConnector
Represents ASC (Azure Security Center) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Azure |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.subscriptionId |
string |
The subscription id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
Availability
Connector Availability Status
| Name | Type | Description |
|---|---|---|
| isPreview |
boolean |
Set connector as preview |
| status |
The connector Availability Status |
AvailabilityStatus
The connector Availability Status
| Value | Description |
|---|---|
| 1 |
AWSAuthModel
Model for API authentication with AWS.
| Name | Type | Description |
|---|---|---|
| externalId |
string |
AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' |
| roleArn |
string |
AWS STS assume role ARN |
| type |
string:
AWS |
The auth type |
AwsCloudTrailDataConnector
Represents Amazon Web Services CloudTrail data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Amazon |
The data connector kind |
| name |
string |
The name of the resource |
| properties.awsRoleArn |
string |
The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. |
| properties.dataTypes |
The available data types for the connector. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AwsCloudTrailDataConnectorDataTypes
The available data types for Amazon Web Services CloudTrail data connector.
| Name | Type | Description |
|---|---|---|
| logs |
Logs data type. |
AwsS3DataConnector
Represents Amazon Web Services S3 data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Amazon |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.destinationTable |
string |
The logs destination table name in LogAnalytics. |
| properties.roleArn |
string |
The Aws Role Arn that is used to access the Aws account. |
| properties.sqsUrls |
string[] |
The AWS sqs urls for the connector. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AwsS3DataConnectorDataTypes
The available data types for Amazon Web Services S3 data connector.
| Name | Type | Description |
|---|---|---|
| logs |
Logs data type. |
BasicAuthModel
Model for API authentication with basic flow - user name + password.
| Name | Type | Description |
|---|---|---|
| password |
string |
The password |
| type |
string:
Basic |
The auth type |
| userName |
string |
The user name. |
CcpAuthType
Type of paging
| Value | Description |
|---|---|
| APIKey | |
| AWS | |
| Basic | |
| GCP | |
| GitHub | |
| JwtToken | |
| None | |
| OAuth2 | |
| Oracle | |
| ServiceBus | |
| Session |
CcpResponseConfig
A custom response configuration for a rule.
| Name | Type | Default value | Description |
|---|---|---|---|
| compressionAlgo |
string |
The compression algorithm. |
|
| convertChildPropertiesToArray |
boolean |
The a value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. |
|
| csvDelimiter |
string |
The csv delimiter, in case the response format is CSV. |
|
| csvEscape |
string |
" |
Th character used to escape characters in CSV. |
| eventsJsonPaths |
string[] |
The json paths, '$' char is the json root. |
|
| format |
string |
json |
The response format. possible values are json,csv,xml |
| hasCsvBoundary |
boolean |
The value indicating whether the response has CSV boundary in case the response in CSV format. |
|
| hasCsvHeader |
boolean |
The value indicating whether the response has headers in case the response in CSV format. |
|
| isGzipCompressed |
boolean |
The value indicating whether the remote server support Gzip and we should expect Gzip response. |
|
| successStatusJsonPath |
string |
The value where the status message/code should appear in the response. |
|
| successStatusValue |
string |
The the status value. |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
CodelessApiPollingDataConnector
Represents Codeless API Polling data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
APIPolling |
The data connector kind |
| name |
string |
The name of the resource |
| properties.connectorUiConfig |
Config to describe the instructions blade |
|
| properties.pollingConfig |
Config to describe the polling instructions |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
CodelessConnectorPollingAuthProperties
Describe the authentication properties needed to successfully authenticate with the server
| Name | Type | Description |
|---|---|---|
| apiKeyIdentifier |
string |
A prefix send in the header before the actual token |
| apiKeyName |
string |
The header name which the token is sent with |
| authType |
string |
The authentication type |
| authorizationEndpoint |
string |
The endpoint used to authorize the user, used in Oauth 2.0 flow |
| authorizationEndpointQueryParameters |
object |
The query parameters used in authorization request, used in Oauth 2.0 flow |
| flowName |
string |
Describes the flow name, for example 'AuthCode' for Oauth 2.0 |
| isApiKeyInPostPayload |
string |
Marks if the key should sent in header |
| isClientSecretInHeader |
boolean |
Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow |
| redirectionEndpoint |
string |
The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow |
| scope |
string |
The OAuth token scope |
| tokenEndpoint |
string |
The endpoint used to issue a token, used in Oauth 2.0 flow |
| tokenEndpointHeaders |
object |
The query headers used in token request, used in Oauth 2.0 flow |
| tokenEndpointQueryParameters |
object |
The query parameters used in token request, used in Oauth 2.0 flow |
CodelessConnectorPollingConfigProperties
Config to describe the polling config for API poller connector
| Name | Type | Description |
|---|---|---|
| auth |
Describe the authentication type of the poller |
|
| isActive |
boolean |
The poller active status |
| paging |
Describe the poll request paging config of the poller |
|
| request |
Describe the poll request config parameters of the poller |
|
| response |
Describe the response config parameters of the poller |
CodelessConnectorPollingPagingProperties
Describe the properties needed to make a pagination call
| Name | Type | Description |
|---|---|---|
| nextPageParaName |
string |
Defines the name of a next page attribute |
| nextPageTokenJsonPath |
string |
Defines the path to a next page token JSON |
| pageCountAttributePath |
string |
Defines the path to a page count attribute |
| pageSize |
integer |
Defines the paging size |
| pageSizeParaName |
string |
Defines the name of the page size parameter |
| pageTimeStampAttributePath |
string |
Defines the path to a paging time stamp attribute |
| pageTotalCountAttributePath |
string |
Defines the path to a page total count attribute |
| pagingType |
string |
Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' |
| searchTheLatestTimeStampFromEventsList |
string |
Determines whether to search for the latest time stamp in the events list |
CodelessConnectorPollingRequestProperties
Describe the request properties needed to successfully pull from the server
| Name | Type | Description |
|---|---|---|
| apiEndpoint |
string |
Describe the endpoint we should pull the data from |
| endTimeAttributeName |
string |
This will be used the query events from the end of the time window |
| headers |
object |
Describe the headers sent in the poll request |
| httpMethod |
string |
The http method type we will use in the poll request, GET or POST |
| queryParameters |
object |
Describe the query parameters sent in the poll request |
| queryParametersTemplate |
string |
For advanced scenarios for example user name/password embedded in nested JSON payload |
| queryTimeFormat |
string |
The time format will be used the query events in a specific window |
| queryWindowInMin |
integer |
The window interval we will use the pull the data |
| rateLimitQps |
integer |
Defines the rate limit QPS |
| retryCount |
integer |
Describe the amount of time we should try and poll the data in case of failure |
| startTimeAttributeName |
string |
This will be used the query events from a start of the time window |
| timeoutInSeconds |
integer |
The number of seconds we will consider as a request timeout |
CodelessConnectorPollingResponseProperties
Describes the response from the external server
| Name | Type | Description |
|---|---|---|
| eventsJsonPaths |
string[] |
Describes the path we should extract the data in the response |
| isGzipCompressed |
boolean |
Describes if the data in the response is Gzip |
| successStatusJsonPath |
string |
Describes the path we should extract the status code in the response |
| successStatusValue |
string |
Describes the path we should extract the status value in the response |
CodelessUiConnectorConfigProperties
Config to describe the instructions blade
| Name | Type | Description |
|---|---|---|
| availability |
Connector Availability Status |
|
| connectivityCriteria |
Define the way the connector check connectivity |
|
| customImage |
string |
An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery |
| dataTypes |
Data types to check for last data received |
|
| descriptionMarkdown |
string |
Connector description |
| graphQueries |
The graph query to show the current data status |
|
| graphQueriesTableName |
string |
Name of the table the connector will insert the data to |
| instructionSteps |
Instruction steps to enable the connector |
|
| permissions |
Permissions required for the connector |
|
| publisher |
string |
Connector publisher name |
| sampleQueries |
The sample queries for the connector |
|
| title |
string |
Connector blade title |
CodelessUiDataConnector
Represents Codeless UI data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
GenericUI |
The data connector kind |
| name |
string |
The name of the resource |
| properties.connectorUiConfig |
Config to describe the instructions blade |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
ConnectivityCriteria
Setting for the connector check connectivity
| Name | Type | Description |
|---|---|---|
| type |
type of connectivity |
|
| value |
string[] |
Queries for checking connectivity |
ConnectivityType
type of connectivity
| Value | Description |
|---|---|
| IsConnectedQuery |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| Application | |
| Key | |
| ManagedIdentity | |
| User |
Customs
Customs permissions required for the connector
| Name | Type | Description |
|---|---|---|
| description |
string |
Customs permissions description |
| name |
string |
Customs permissions name |
DataConnectorDataTypeCommon
Common field for data type in data connectors.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
DataConnectorKind
The kind of the data connector
| Value | Description |
|---|---|
| APIPolling | |
| AmazonWebServicesCloudTrail | |
| AmazonWebServicesS3 | |
| AzureActiveDirectory | |
| AzureAdvancedThreatProtection | |
| AzureSecurityCenter | |
| Dynamics365 | |
| GCP | |
| GenericUI | |
| IOT | |
| MicrosoftCloudAppSecurity | |
| MicrosoftDefenderAdvancedThreatProtection | |
| MicrosoftPurviewInformationProtection | |
| MicrosoftThreatIntelligence | |
| MicrosoftThreatProtection | |
| Office365 | |
| Office365Project | |
| OfficeATP | |
| OfficeIRM | |
| OfficePowerBI | |
| RestApiPoller | |
| ThreatIntelligence | |
| ThreatIntelligenceTaxii |
DataTypes
Data types to check for last data received
| Name | Type | Description |
|---|---|---|
| lastDataReceivedQuery |
string |
Query for indicate last data received |
| name |
string |
Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder |
DataTypeState
Describe whether this data type connection is enabled or not.
| Value | Description |
|---|---|
| Disabled | |
| Enabled |
DCRConfiguration
The configuration of the destination of the data.
| Name | Type | Description |
|---|---|---|
| dataCollectionEndpoint |
string |
Represents the data collection ingestion endpoint in log analytics. |
| dataCollectionRuleImmutableId |
string |
The data collection rule immutable id, the rule defines the transformation and data destination. |
| streamName |
string |
The stream we are sending the data to. |
Dynamics365CdsActivities
Common Data Service data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
Dynamics365DataConnector
Represents Dynamics365 data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Dynamics365 |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
Dynamics365DataConnectorDataTypes
The available data types for Dynamics365 data connector.
| Name | Type | Description |
|---|---|---|
| dynamics365CdsActivities |
Common Data Service data type connection. |
Exchange
Exchange data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
GCPAuthModel
Model for API authentication for all GCP kind connectors.
| Name | Type | Description |
|---|---|---|
| projectNumber |
string |
GCP Project Number |
| serviceAccountEmail |
string |
GCP Service Account Email |
| type |
string:
GCP |
The auth type |
| workloadIdentityProviderId |
string |
GCP Workload Identity Provider ID |
GCPAuthProperties
Google Cloud Platform auth section properties.
| Name | Type | Description |
|---|---|---|
| projectNumber |
string |
The GCP project number. |
| serviceAccountEmail |
string |
The service account that is used to access the GCP project. |
| workloadIdentityProviderId |
string |
The workload identity provider id that is used to gain access to the GCP project. |
GCPDataConnector
Represents Google Cloud Platform data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
GCP |
The data connector kind |
| name |
string |
The name of the resource |
| properties.auth |
The auth section of the connector. |
|
| properties.connectorDefinitionName |
string |
The name of the connector definition that represents the UI config. |
| properties.dcrConfig |
The configuration of the destination of the data. |
|
| properties.request |
The request section of the connector. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
GCPRequestProperties
Google Cloud Platform request section properties.
| Name | Type | Description |
|---|---|---|
| projectId |
string |
The GCP project id. |
| subscriptionNames |
string[] |
The GCP pub/sub subscription names. |
GenericBlobSbsAuthModel
Model for API authentication for working with service bus or storage account.
| Name | Type | Description |
|---|---|---|
| credentialsConfig |
object |
Credentials for service bus namespace, keyvault uri for access key |
| storageAccountCredentialsConfig |
object |
Credentials for storage account, keyvault uri for access key |
| type |
string:
Service |
The auth type |
GitHubAuthModel
Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens.
| Name | Type | Description |
|---|---|---|
| installationId |
string |
The GitHubApp auth installation id. |
| type |
string:
Git |
The auth type |
GraphQueries
The graph query to show the current data status
| Name | Type | Description |
|---|---|---|
| baseQuery |
string |
The base query for the graph |
| legend |
string |
The legend for the graph |
| metricName |
string |
the metric that the query is checking |
httpMethodVerb
The HTTP method, default value GET.
| Value | Description |
|---|---|
| DELETE | |
| GET | |
| POST | |
| PUT |
Incidents
Incidents data type for Microsoft Threat Protection Platforms data connector.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
Indicators
Data type for indicators connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
Instructions
Instruction step details
| Name | Type | Description |
|---|---|---|
| parameters |
object |
The parameters for the setting |
| type |
The kind of the setting |
InstructionSteps
Instruction steps to enable the connector
| Name | Type | Description |
|---|---|---|
| description |
string |
Instruction step description |
| instructions |
Instruction step details |
|
| title |
string |
Instruction step title |
IoTDataConnector
Represents IoT data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
IOT |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.subscriptionId |
string |
The subscription id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
JwtAuthModel
Model for API authentication with JWT. Simple exchange between user name + password to access token.
| Name | Type | Default value | Description |
|---|---|---|---|
| headers |
object |
The custom headers we want to add once we send request to token endpoint. |
|
| isCredentialsInHeaders |
boolean |
Flag indicating whether we want to send the user name and password to token endpoint in the headers. |
|
| isJsonRequest |
boolean |
False |
Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). |
| password |
object |
The password |
|
| queryParameters |
object |
The custom query parameter we want to add once we send request to token endpoint. |
|
| requestTimeoutInSeconds |
integer |
100 |
Request timeout in seconds. |
| tokenEndpoint |
string |
Token endpoint to request JWT |
|
| type |
string:
Jwt |
The auth type |
|
| userName |
object |
The user name. If user name and password sent in header request we only need to populate the |
Logs
Logs data type.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
MCASDataConnector
Represents MCAS (Microsoft Cloud App Security) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MCASDataConnectorDataTypes
The available data types for MCAS (Microsoft Cloud App Security) data connector.
| Name | Type | Description |
|---|---|---|
| alerts |
Alerts data type connection. |
|
| discoveryLogs |
Discovery log data type connection. |
MDATPDataConnector
Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftEmergingThreatFeed
Data type for Microsoft Threat Intelligence Platforms data connector.
| Name | Type | Description |
|---|---|---|
| lookbackPeriod |
string |
The lookback period for the feed to be imported. |
| state |
Describe whether this data type connection is enabled or not. |
MicrosoftPurviewInformationProtectionConnectorDataTypes
The available data types for Microsoft Purview Information Protection data connector.
| Name | Type | Description |
|---|---|---|
| logs |
Logs data type. |
MicrosoftPurviewInformationProtectionDataConnector
Represents Microsoft Purview Information Protection data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MSTIDataConnector
Represents Microsoft Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MSTIDataConnectorDataTypes
The available data types for Microsoft Threat Intelligence Platforms data connector.
| Name | Type | Description |
|---|---|---|
| microsoftEmergingThreatFeed |
Data type for Microsoft Threat Intelligence Platforms data connector. |
MTPDataConnector
Represents MTP (Microsoft Threat Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.filteredProviders |
The available filtered providers for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MTPDataConnectorDataTypes
The available data types for Microsoft Threat Protection Platforms data connector.
| Name | Type | Description |
|---|---|---|
| alerts |
Alerts data type for Microsoft Threat Protection Platforms data connector. |
|
| incidents |
Incidents data type for Microsoft Threat Protection Platforms data connector. |
MtpFilteredProviders
Represents the connector's Filtered providers
| Name | Type | Description |
|---|---|---|
| alerts |
Alerts filtered providers. When filters are not applied, all alerts will stream through the MTP pipeline, still in private preview for all products EXCEPT MDA and MDI, which are in GA state. |
MtpProvider
The available data providers.
| Value | Description |
|---|---|
| microsoftDefenderForCloudApps | |
| microsoftDefenderForIdentity |
NoneAuthModel
Model for API authentication with no authentication method - public API.
| Name | Type | Description |
|---|---|---|
| type |
string:
None |
The auth type |
OAuthModel
Model for API authentication with OAuth2.
| Name | Type | Default value | Description |
|---|---|---|---|
| accessTokenPrepend |
string |
Access token prepend. Default is 'Bearer'. |
|
| authorizationCode |
string |
The user's authorization code. |
|
| authorizationEndpoint |
string |
The authorization endpoint. |
|
| authorizationEndpointHeaders |
object |
The authorization endpoint headers. |
|
| authorizationEndpointQueryParameters |
object |
The authorization endpoint query parameters. |
|
| clientId |
string |
The Application (client) ID that the OAuth provider assigned to your app. |
|
| clientSecret |
string |
The Application (client) secret that the OAuth provider assigned to your app. |
|
| grantType |
string |
The grant type, usually will be 'authorization code'. |
|
| isCredentialsInHeaders |
boolean |
False |
Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. |
| isJwtBearerFlow |
boolean |
A value indicating whether it's a JWT flow. |
|
| redirectUri |
string |
The Application redirect url that the user config in the OAuth provider. |
|
| scope |
string |
The Application (client) Scope that the OAuth provider assigned to your app. |
|
| tokenEndpoint |
string |
The token endpoint. Defines the OAuth2 refresh token. |
|
| tokenEndpointHeaders |
object |
The token endpoint headers. |
|
| tokenEndpointQueryParameters |
object |
The token endpoint query parameters. |
|
| type |
string:
OAuth2 |
The auth type |
Office365ProjectConnectorDataTypes
The available data types for Office Microsoft Project data connector.
| Name | Type | Description |
|---|---|---|
| logs |
Logs data type. |
Office365ProjectDataConnector
Represents Office Microsoft Project data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Office365Project |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OfficeATPDataConnector
Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
OfficeATP |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OfficeDataConnector
Represents office data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Office365 |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OfficeDataConnectorDataTypes
The available data types for office data connector.
| Name | Type | Description |
|---|---|---|
| exchange |
Exchange data type connection. |
|
| sharePoint |
SharePoint data type connection. |
|
| teams |
Teams data type connection. |
OfficeIRMDataConnector
Represents OfficeIRM (Microsoft Insider Risk Management) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
OfficeIRM |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OfficePowerBIConnectorDataTypes
The available data types for Office Microsoft PowerBI data connector.
| Name | Type | Description |
|---|---|---|
| logs |
Logs data type. |
OfficePowerBIDataConnector
Represents Office Microsoft PowerBI data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Office |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OracleAuthModel
Model for API authentication for Oracle.
| Name | Type | Description |
|---|---|---|
| pemFile |
string |
Content of the PRM file |
| publicFingerprint |
string |
Public Fingerprint |
| tenantId |
string |
Oracle tenant ID |
| type |
string:
Oracle |
The auth type |
| userId |
string |
Oracle user ID |
PermissionProviderScope
Permission provider scope
| Value | Description |
|---|---|
| ResourceGroup | |
| Subscription | |
| Workspace |
Permissions
Permissions required for the connector
| Name | Type | Description |
|---|---|---|
| customs |
Customs[] |
Customs permissions required for the connector |
| resourceProvider |
Resource provider permissions required for the connector |
PollingFrequency
The polling frequency for the TAXII server.
| Value | Description |
|---|---|
| OnceADay |
Once a day |
| OnceAMinute |
Once a minute |
| OnceAnHour |
Once an hour |
ProviderName
Provider name
| Value | Description |
|---|---|
| Microsoft.Authorization/policyAssignments | |
| Microsoft.OperationalInsights/solutions | |
| Microsoft.OperationalInsights/workspaces | |
| Microsoft.OperationalInsights/workspaces/datasources | |
| Microsoft.OperationalInsights/workspaces/sharedKeys | |
| microsoft.aadiam/diagnosticSettings |
RequiredPermissions
Required permissions for the connector
| Name | Type | Description |
|---|---|---|
| action |
boolean |
action permission |
| delete |
boolean |
delete permission |
| read |
boolean |
read permission |
| write |
boolean |
write permission |
ResourceProvider
Resource provider permissions required for the connector
| Name | Type | Description |
|---|---|---|
| permissionsDisplayText |
string |
Permission description text |
| provider |
Provider name |
|
| providerDisplayName |
string |
Permission provider display name |
| requiredPermissions |
Required permissions for the connector |
|
| scope |
Permission provider scope |
RestApiPollerDataConnector
Represents Rest Api Poller data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Rest |
The data connector kind |
| name |
string |
The name of the resource |
| properties.addOnAttributes |
object |
The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. |
| properties.auth | CcpAuthConfig: |
The a authentication model. |
| properties.connectorDefinitionName |
string |
The connector definition name (the dataConnectorDefinition resource id). |
| properties.dataType |
string |
The Log Analytics table destination. |
| properties.dcrConfig |
The DCR related properties. |
|
| properties.isActive |
boolean |
Indicates whether the connector is active or not. |
| properties.paging |
The paging configuration. |
|
| properties.request |
The request configuration. |
|
| properties.response |
The response configuration. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
RestApiPollerRequestConfig
The request configuration.
| Name | Type | Description |
|---|---|---|
| apiEndpoint |
string |
The API endpoint. |
| endTimeAttributeName |
string |
The query parameter name which the remote server expect to end query. This property goes hand to hand with |
| headers |
object |
The header for the request for the remote server. |
| httpMethod |
The HTTP method, default value GET. |
|
| isPostPayloadJson |
boolean |
Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). |
| queryParameters |
|
The HTTP query parameters to RESTful API. |
| queryParametersTemplate |
string |
the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. |
| queryTimeFormat |
string |
The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. |
| queryTimeIntervalAttributeName |
string |
The query parameter name which we need to send the server for query logs in time interval. Should be defined with |
| queryTimeIntervalDelimiter |
string |
The delimiter string between 2 QueryTimeFormat in the query parameter |
| queryTimeIntervalPrepend |
string |
The string prepend to the value of the query parameter in |
| queryWindowInMin |
integer |
The query window in minutes for the request. |
| rateLimitQPS |
integer |
The Rate limit queries per second for the request.. |
| retryCount |
integer |
The retry count. |
| startTimeAttributeName |
string |
The query parameter name which the remote server expect to start query. This property goes hand to hand with |
| timeoutInSeconds |
integer |
The timeout in seconds. |
RestApiPollerRequestPagingConfig
The request paging configuration.
| Name | Type | Description |
|---|---|---|
| pageSize |
integer |
Page size |
| pageSizeParameterName |
string |
Page size parameter name |
| pagingType |
Type of paging |
RestApiPollerRequestPagingKind
Type of paging
| Value | Description |
|---|---|
| CountBasedPaging | |
| LinkHeader | |
| NextPageToken | |
| NextPageUrl | |
| Offset | |
| PersistentLinkHeader | |
| PersistentToken |
SampleQueries
The sample queries for the connector
| Name | Type | Description |
|---|---|---|
| description |
string |
The sample query description |
| query |
string |
the sample query |
SessionAuthModel
Model for API authentication with session cookie.
| Name | Type | Description |
|---|---|---|
| headers |
object |
HTTP request headers to session service endpoint. |
| isPostPayloadJson |
boolean |
Indicating whether API key is set in HTTP POST payload. |
| password |
object |
The password attribute name. |
| queryParameters |
|
Query parameters to session service endpoint. |
| sessionIdName |
string |
Session id attribute name from HTTP response header. |
| sessionLoginRequestUri |
string |
HTTP request URL to session service endpoint. |
| sessionTimeoutInMinutes |
integer |
Session timeout in minutes. |
| type |
string:
Session |
The auth type |
| userName |
object |
The user name attribute key value. |
SettingType
The kind of the setting
| Value | Description |
|---|---|
| CopyableLabel | |
| InfoMessage | |
| InstructionStepsGroup |
SharePoint
SharePoint data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
TaxiiClient
Data type for TAXII connector.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
Teams
Teams data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
TIDataConnector
Represents threat intelligence data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Threat |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| properties.tipLookbackPeriod |
string |
The lookback period for the feed to be imported. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
TIDataConnectorDataTypes
The available data types for TI (Threat Intelligence) data connector.
| Name | Type | Description |
|---|---|---|
| indicators |
Data type for indicators connection. |
TiTaxiiDataConnector
Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Threat |
The data connector kind |
| name |
string |
The name of the resource |
| properties.collectionId |
string |
The collection id of the TAXII server. |
| properties.dataTypes |
The available data types for Threat Intelligence TAXII data connector. |
|
| properties.friendlyName |
string |
The friendly name for the TAXII server. |
| properties.password |
string |
The password for the TAXII server. |
| properties.pollingFrequency |
The polling frequency for the TAXII server. |
|
| properties.taxiiLookbackPeriod |
string |
The lookback period for the TAXII server. |
| properties.taxiiServer |
string |
The API root for the TAXII server. |
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| properties.userName |
string |
The userName for the TAXII server. |
| properties.workspaceId |
string |
The workspace id. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
TiTaxiiDataConnectorDataTypes
The available data types for Threat Intelligence TAXII data connector.
| Name | Type | Description |
|---|---|---|
| taxiiClient |
Data type for TAXII connector. |