Compartilhar via


Data Connectors - Get

Gets a data connector.

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}?api-version=2024-09-01

URI Parameters

Name In Required Type Description
dataConnectorId
path True

string

Connector ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK DataConnector:

OK, Operation successfully completed

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get a ASC data connector.
Get a MCAS data connector.
Get a MDATP data connector
Get a MicrosoftThreatIntelligence data connector
Get a PremiumMicrosoftDefenderForThreatIntelligence data connector
Get a RestApiPoller data connector
Get a TI data connector.
Get an AAD data connector.
Get an AATP data connector.
Get an AwsCloudTrail data connector.
Get an Office365 data connector.

Get a ASC data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/763f9fa1-c2d3-4fa2-93e9-bccd4899aa12",
  "name": "763f9fa1-c2d3-4fa2-93e9-bccd4899aa12",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "AzureSecurityCenter",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "subscriptionId": "c0688291-89d7-4bed-87a2-a7b1bff43f4c",
    "dataTypes": {
      "alerts": {
        "state": "Enabled"
      }
    }
  }
}

Get a MCAS data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/b96d014d-b5c2-4a01-9aba-a8058f629d42",
  "name": "b96d014d-b5c2-4a01-9aba-a8058f629d42",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "MicrosoftCloudAppSecurity",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "dataTypes": {
      "alerts": {
        "state": "Enabled"
      },
      "discoveryLogs": {
        "state": "Enabled"
      }
    }
  }
}

Get a MDATP data connector

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/06b3ccb8-1384-4bcc-aec7-852f6d57161b",
  "name": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "dataTypes": {
      "alerts": {
        "state": "Enabled"
      }
    }
  }
}

Get a MicrosoftThreatIntelligence data connector

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
  "name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "MicrosoftThreatIntelligence",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "dataTypes": {
      "microsoftEmergingThreatFeed": {
        "state": "Enabled",
        "lookbackPeriod": "2024-11-01T00:00:00Z"
      }
    }
  }
}

Get a PremiumMicrosoftDefenderForThreatIntelligence data connector

Sample request

GET https://management.azure.com/subscriptions/b66e5c69-e2eb-422a-81c3-002de57059f3/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/8c569548-a86c-4fb4-8ae4-d1e35a6146f8?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/b66e5c69-e2eb-422a-81c3-002de57059f3/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
  "name": "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
  "etag": "d30049a2-0000-0800-0000-658ca2270000",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "PremiumMicrosoftDefenderForThreatIntelligence",
  "properties": {
    "lookbackPeriod": "2023-12-26T22:16:07Z",
    "requiredSKUsPresent": false,
    "dataTypes": {
      "connector": {
        "state": "Enabled"
      }
    },
    "tenantId": "e4afb3c4-813b-4e68-b6de-e5360866e798"
  }
}

Get a RestApiPoller data connector

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/RestApiPoller_fce27b90-d6f5-4d30-991a-af509a2b50a1?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/RestApiPoller_afef3743-0c88-469c-84ff-ca2e87dc1e48",
  "name": "RestApiPoller_fce27b90-d6f5-4d30-991a-af509a2b50a1",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "kind": "RestApiPoller",
  "properties": {
    "connectorDefinitionName": "RestApiPollerDefinition",
    "auth": {
      "type": "APIKey",
      "apiKey": "6bec40cf957de430a6f1f2baa056b99a4fac9ea0",
      "apiKeyName": "X-Cisco-Meraki-API-Key"
    },
    "dcrConfig": {
      "streamName": "Meraki",
      "dataCollectionEndpoint": "data collection Endpoint",
      "dataCollectionRuleImmutableId": "data collection rule immutableId"
    },
    "request": {
      "apiEndpoint": "https://api.meraki.com/api/v1/organizations/573083052582915028/networks",
      "rateLimitQPS": 10,
      "queryWindowInMin": 6,
      "httpMethod": "GET",
      "queryTimeFormat": "UnixTimestamp",
      "startTimeAttributeName": "t0",
      "endTimeAttributeName": "t1",
      "retryCount": 3,
      "timeoutInSeconds": 60,
      "headers": {
        "Accept": "application/json",
        "User-Agent": "Scuba"
      },
      "queryParameters": {
        "perPage": 1000
      }
    },
    "paging": {
      "pagingType": "LinkHeader"
    },
    "response": {
      "eventsJsonPaths": [
        "$"
      ]
    }
  }
}

Get a TI data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
  "name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "ThreatIntelligence",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "tipLookbackPeriod": "2020-01-01T13:00:30.123Z",
    "dataTypes": {
      "indicators": {
        "state": "Enabled"
      }
    }
  }
}

Get an AAD data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d",
  "name": "f0cd27d2-5f03-4c06-ba31-d2dc82dcb51d",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "AzureActiveDirectory",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "dataTypes": {
      "alerts": {
        "state": "Enabled"
      }
    }
  }
}

Get an AATP data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/07e42cb3-e658-4e90-801c-efa0f29d3d44",
  "name": "07e42cb3-e658-4e90-801c-efa0f29d3d44",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "AzureAdvancedThreatProtection",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "dataTypes": {
      "alerts": {
        "state": "Enabled"
      }
    }
  }
}

Get an AwsCloudTrail data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
  "name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "awsRoleArn": "myAwsRoleArn",
    "dataTypes": {
      "logs": {
        "state": "Enabled"
      }
    }
  }
}

Get an Office365 data connector.

Sample request

GET https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2024-09-01

Sample response

{
  "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "kind": "Office365",
  "etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
  "properties": {
    "tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
    "dataTypes": {
      "sharePoint": {
        "state": "Enabled"
      },
      "exchange": {
        "state": "Enabled"
      },
      "teams": {
        "state": "Enabled"
      }
    }
  }
}

Definitions

Name Description
AADDataConnector

Represents AAD (Azure Active Directory) data connector.

AATPDataConnector

Represents AATP (Azure Advanced Threat Protection) data connector.

AlertsDataTypeOfDataConnector

Alerts data type for data connectors.

ApiKeyAuthModel

Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header.

ASCDataConnector

Represents ASC (Azure Security Center) data connector.

AWSAuthModel

Model for API authentication with AWS.

AwsCloudTrailDataConnector

Represents Amazon Web Services CloudTrail data connector.

AwsCloudTrailDataConnectorDataTypes

The available data types for Amazon Web Services CloudTrail data connector.

BasicAuthModel

Model for API authentication with basic flow - user name + password.

CcpAuthType

Type of paging

CcpResponseConfig

A custom response configuration for a rule.

CloudError

Error response structure.

CloudErrorBody

Error details.

Connector

Data type for Premium Microsoft Defender for Threat Intelligence data connector.

createdByType

The type of identity that created the resource.

DataConnectorDataTypeCommon

Common field for data type in data connectors.

DataConnectorKind

The kind of the data connector

DataTypeState

Describe whether this data type connection is enabled or not.

DCRConfiguration

The configuration of the destination of the data.

Exchange

Exchange data type connection.

GCPAuthModel

Model for API authentication for all GCP kind connectors.

GenericBlobSbsAuthModel

Model for API authentication for working with service bus or storage account.

GitHubAuthModel

Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens.

httpMethodVerb

The HTTP method, default value GET.

Indicators

Data type for indicators connection.

JwtAuthModel

Model for API authentication with JWT. Simple exchange between user name + password to access token.

Logs

Logs data type.

MCASDataConnector

Represents MCAS (Microsoft Cloud App Security) data connector.

MCASDataConnectorDataTypes

The available data types for MCAS (Microsoft Cloud App Security) data connector.

MDATPDataConnector

Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.

MicrosoftEmergingThreatFeed

Data type for Microsoft Threat Intelligence data connector.

MSTIDataConnector

Represents Microsoft Threat Intelligence data connector.

MSTIDataConnectorDataTypes

The available data types for Microsoft Threat Intelligence data connector.

NoneAuthModel

Model for API authentication with no authentication method - public API.

OAuthModel

Model for API authentication with OAuth2.

OfficeDataConnector

Represents office data connector.

OfficeDataConnectorDataTypes

The available data types for office data connector.

OracleAuthModel

Model for API authentication for Oracle.

PremiumMdtiDataConnectorDataTypes

The available data types for Premium Microsoft Defender for Threat Intelligence data connector.

PremiumMicrosoftDefenderForThreatIntelligence

Represents Premium Microsoft Defender for Threat Intelligence data connector.

RestApiPollerDataConnector

Represents Rest Api Poller data connector.

RestApiPollerRequestConfig

The request configuration.

RestApiPollerRequestPagingConfig

The request paging configuration.

RestApiPollerRequestPagingKind

Type of paging

SessionAuthModel

Model for API authentication with session cookie.

SharePoint

SharePoint data type connection.

systemData

Metadata pertaining to creation and last modification of the resource.

Teams

Teams data type connection.

TIDataConnector

Represents threat intelligence data connector.

TIDataConnectorDataTypes

The available data types for TI (Threat Intelligence) data connector.

AADDataConnector

Represents AAD (Azure Active Directory) data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

AzureActiveDirectory

The data connector kind

name

string

The name of the resource

properties.dataTypes

AlertsDataTypeOfDataConnector

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AATPDataConnector

Represents AATP (Azure Advanced Threat Protection) data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

AzureAdvancedThreatProtection

The data connector kind

name

string

The name of the resource

properties.dataTypes

AlertsDataTypeOfDataConnector

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AlertsDataTypeOfDataConnector

Alerts data type for data connectors.

Name Type Description
alerts

DataConnectorDataTypeCommon

Alerts data type connection.

ApiKeyAuthModel

Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header.

Name Type Description
apiKey

string

API Key for the user secret key credential

apiKeyIdentifier

string

API Key Identifier

apiKeyName

string

API Key name

isApiKeyInPostPayload

boolean

Flag to indicate if API key is set in HTTP POST payload

type string:

APIKey

The auth type

ASCDataConnector

Represents ASC (Azure Security Center) data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

AzureSecurityCenter

The data connector kind

name

string

The name of the resource

properties.dataTypes

AlertsDataTypeOfDataConnector

The available data types for the connector.

properties.subscriptionId

string

The subscription id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AWSAuthModel

Model for API authentication with AWS.

Name Type Description
externalId

string

AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html'

roleArn

string

AWS STS assume role ARN

type string:

AWS

The auth type

AwsCloudTrailDataConnector

Represents Amazon Web Services CloudTrail data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

AmazonWebServicesCloudTrail

The data connector kind

name

string

The name of the resource

properties.awsRoleArn

string

The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account.

properties.dataTypes

AwsCloudTrailDataConnectorDataTypes

The available data types for the connector.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AwsCloudTrailDataConnectorDataTypes

The available data types for Amazon Web Services CloudTrail data connector.

Name Type Description
logs

Logs

Logs data type.

BasicAuthModel

Model for API authentication with basic flow - user name + password.

Name Type Description
password

string

The password

type string:

Basic

The auth type

userName

string

The user name.

CcpAuthType

Type of paging

Name Type Description
APIKey

string

AWS

string

Basic

string

GCP

string

GitHub

string

JwtToken

string

None

string

OAuth2

string

Oracle

string

ServiceBus

string

Session

string

CcpResponseConfig

A custom response configuration for a rule.

Name Type Default value Description
compressionAlgo

string

gzip

The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'.

convertChildPropertiesToArray

boolean

The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs.

csvDelimiter

string

The csv delimiter, in case the response format is CSV.

csvEscape

string

"

The character used to escape characters in CSV.

eventsJsonPaths

string[]

The json paths, '$' char is the json root.

format

string

json

The response format. possible values are json,csv,xml

hasCsvBoundary

boolean

The value indicating whether the response has CSV boundary in case the response in CSV format.

hasCsvHeader

boolean

The value indicating whether the response has headers in case the response in CSV format.

isGzipCompressed

boolean

The value indicating whether the remote server support Gzip and we should expect Gzip response.

successStatusJsonPath

string

The value where the status message/code should appear in the response.

successStatusValue

string

The status value.

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

Connector

Data type for Premium Microsoft Defender for Threat Intelligence data connector.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

DataConnectorDataTypeCommon

Common field for data type in data connectors.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

DataConnectorKind

The kind of the data connector

Name Type Description
AmazonWebServicesCloudTrail

string

AzureActiveDirectory

string

AzureAdvancedThreatProtection

string

AzureSecurityCenter

string

MicrosoftCloudAppSecurity

string

MicrosoftDefenderAdvancedThreatProtection

string

MicrosoftThreatIntelligence

string

Office365

string

PremiumMicrosoftDefenderForThreatIntelligence

string

RestApiPoller

string

ThreatIntelligence

string

DataTypeState

Describe whether this data type connection is enabled or not.

Name Type Description
Disabled

string

Enabled

string

DCRConfiguration

The configuration of the destination of the data.

Name Type Description
dataCollectionEndpoint

string

Represents the data collection ingestion endpoint in log analytics.

dataCollectionRuleImmutableId

string

The data collection rule immutable id, the rule defines the transformation and data destination.

streamName

string

The stream we are sending the data to.

Exchange

Exchange data type connection.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

GCPAuthModel

Model for API authentication for all GCP kind connectors.

Name Type Description
projectNumber

string

GCP Project Number

serviceAccountEmail

string

GCP Service Account Email

type string:

GCP

The auth type

workloadIdentityProviderId

string

GCP Workload Identity Provider ID

GenericBlobSbsAuthModel

Model for API authentication for working with service bus or storage account.

Name Type Description
credentialsConfig

object

Credentials for service bus namespace, keyvault uri for access key

storageAccountCredentialsConfig

object

Credentials for storage account, keyvault uri for access key

type string:

ServiceBus

The auth type

GitHubAuthModel

Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens.

Name Type Description
installationId

string

The GitHubApp auth installation id.

type string:

GitHub

The auth type

httpMethodVerb

The HTTP method, default value GET.

Name Type Description
DELETE

string

GET

string

POST

string

PUT

string

Indicators

Data type for indicators connection.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

JwtAuthModel

Model for API authentication with JWT. Simple exchange between user name + password to access token.

Name Type Default value Description
headers

object

The custom headers we want to add once we send request to token endpoint.

isCredentialsInHeaders

boolean

Flag indicating whether we want to send the user name and password to token endpoint in the headers.

isJsonRequest

boolean

False

Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded).

password

object

The password

queryParameters

object

The custom query parameter we want to add once we send request to token endpoint.

requestTimeoutInSeconds

integer

100

Request timeout in seconds.

tokenEndpoint

string

Token endpoint to request JWT

type string:

JwtToken

The auth type

userName

object

The user name. If user name and password sent in header request we only need to populate the value property with the user name (Same as basic auth). If user name and password sent in body request we need to specify the Key and Value.

Logs

Logs data type.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

MCASDataConnector

Represents MCAS (Microsoft Cloud App Security) data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MicrosoftCloudAppSecurity

The data connector kind

name

string

The name of the resource

properties.dataTypes

MCASDataConnectorDataTypes

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MCASDataConnectorDataTypes

The available data types for MCAS (Microsoft Cloud App Security) data connector.

Name Type Description
alerts

DataConnectorDataTypeCommon

Alerts data type connection.

discoveryLogs

DataConnectorDataTypeCommon

Discovery log data type connection.

MDATPDataConnector

Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MicrosoftDefenderAdvancedThreatProtection

The data connector kind

name

string

The name of the resource

properties.dataTypes

AlertsDataTypeOfDataConnector

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MicrosoftEmergingThreatFeed

Data type for Microsoft Threat Intelligence data connector.

Name Type Description
lookbackPeriod

string

The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.

state

DataTypeState

Describe whether this data type connection is enabled or not.

MSTIDataConnector

Represents Microsoft Threat Intelligence data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MicrosoftThreatIntelligence

The data connector kind

name

string

The name of the resource

properties.dataTypes

MSTIDataConnectorDataTypes

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MSTIDataConnectorDataTypes

The available data types for Microsoft Threat Intelligence data connector.

Name Type Description
microsoftEmergingThreatFeed

MicrosoftEmergingThreatFeed

Data type for Microsoft Threat Intelligence data connector.

NoneAuthModel

Model for API authentication with no authentication method - public API.

Name Type Description
type string:

None

The auth type

OAuthModel

Model for API authentication with OAuth2.

Name Type Default value Description
accessTokenPrepend

string

Access token prepend. Default is 'Bearer'.

authorizationCode

string

The user's authorization code.

authorizationEndpoint

string

The authorization endpoint.

authorizationEndpointHeaders

object

The authorization endpoint headers.

authorizationEndpointQueryParameters

object

The authorization endpoint query parameters.

clientId

string

The Application (client) ID that the OAuth provider assigned to your app.

clientSecret

string

The Application (client) secret that the OAuth provider assigned to your app.

grantType

string

The grant type, usually will be 'authorization code'.

isCredentialsInHeaders

boolean

False

Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers.

isJwtBearerFlow

boolean

A value indicating whether it's a JWT flow.

redirectUri

string

The Application redirect url that the user config in the OAuth provider.

scope

string

The Application (client) Scope that the OAuth provider assigned to your app.

tokenEndpoint

string

The token endpoint. Defines the OAuth2 refresh token.

tokenEndpointHeaders

object

The token endpoint headers.

tokenEndpointQueryParameters

object

The token endpoint query parameters.

type string:

OAuth2

The auth type

OfficeDataConnector

Represents office data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Office365

The data connector kind

name

string

The name of the resource

properties.dataTypes

OfficeDataConnectorDataTypes

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

OfficeDataConnectorDataTypes

The available data types for office data connector.

Name Type Description
exchange

Exchange

Exchange data type connection.

sharePoint

SharePoint

SharePoint data type connection.

teams

Teams

Teams data type connection.

OracleAuthModel

Model for API authentication for Oracle.

Name Type Description
pemFile

string

Content of the PRM file

publicFingerprint

string

Public Fingerprint

tenantId

string

Oracle tenant ID

type string:

Oracle

The auth type

userId

string

Oracle user ID

PremiumMdtiDataConnectorDataTypes

The available data types for Premium Microsoft Defender for Threat Intelligence data connector.

Name Type Description
connector

Connector

Data type for Premium Microsoft Defender for Threat Intelligence data connector.

PremiumMicrosoftDefenderForThreatIntelligence

Represents Premium Microsoft Defender for Threat Intelligence data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

PremiumMicrosoftDefenderForThreatIntelligence

The data connector kind

name

string

The name of the resource

properties.dataTypes

PremiumMdtiDataConnectorDataTypes

The available data types for the connector.

properties.lookbackPeriod

string

The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z.

properties.requiredSKUsPresent

boolean

The flag to indicate whether the tenant has the premium SKU required to access this connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

RestApiPollerDataConnector

Represents Rest Api Poller data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

RestApiPoller

The data connector kind

name

string

The name of the resource

properties.addOnAttributes

object

The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload.

properties.auth CcpAuthConfig:

The a authentication model.

properties.connectorDefinitionName

string

The connector definition name (the dataConnectorDefinition resource id).

properties.dataType

string

The Log Analytics table destination.

properties.dcrConfig

DCRConfiguration

The DCR related properties.

properties.isActive

boolean

Indicates whether the connector is active or not.

properties.paging

RestApiPollerRequestPagingConfig

The paging configuration.

properties.request

RestApiPollerRequestConfig

The request configuration.

properties.response

CcpResponseConfig

The response configuration.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

RestApiPollerRequestConfig

The request configuration.

Name Type Description
apiEndpoint

string

The API endpoint.

endTimeAttributeName

string

The query parameter name which the remote server expect to end query. This property goes hand to hand with startTimeAttributeName

headers

object

The header for the request for the remote server.

httpMethod

httpMethodVerb

The HTTP method, default value GET.

isPostPayloadJson

boolean

Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded).

queryParameters

The HTTP query parameters to RESTful API.

queryParametersTemplate

string

the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios.

queryTimeFormat

string

The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse.

queryTimeIntervalAttributeName

string

The query parameter name which we need to send the server for query logs in time interval. Should be defined with queryTimeIntervalPrepend and queryTimeIntervalDelimiter

queryTimeIntervalDelimiter

string

The delimiter string between 2 QueryTimeFormat in the query parameter queryTimeIntervalAttributeName.

queryTimeIntervalPrepend

string

The string prepend to the value of the query parameter in queryTimeIntervalAttributeName.

queryWindowInMin

integer

The query window in minutes for the request.

rateLimitQPS

integer

The Rate limit queries per second for the request..

retryCount

integer

The retry count.

startTimeAttributeName

string

The query parameter name which the remote server expect to start query. This property goes hand to hand with endTimeAttributeName.

timeoutInSeconds

integer

The timeout in seconds.

RestApiPollerRequestPagingConfig

The request paging configuration.

Name Type Description
pageSize

integer

Page size

pageSizeParameterName

string

Page size parameter name

pagingType

RestApiPollerRequestPagingKind

Type of paging

RestApiPollerRequestPagingKind

Type of paging

Name Type Description
CountBasedPaging

string

LinkHeader

string

NextPageToken

string

NextPageUrl

string

Offset

string

PersistentLinkHeader

string

PersistentToken

string

SessionAuthModel

Model for API authentication with session cookie.

Name Type Description
headers

object

HTTP request headers to session service endpoint.

isPostPayloadJson

boolean

Indicating whether API key is set in HTTP POST payload.

password

object

The password attribute name.

queryParameters

Query parameters to session service endpoint.

sessionIdName

string

Session id attribute name from HTTP response header.

sessionLoginRequestUri

string

HTTP request URL to session service endpoint.

sessionTimeoutInMinutes

integer

Session timeout in minutes.

type string:

Session

The auth type

userName

object

The user name attribute key value.

SharePoint

SharePoint data type connection.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

Teams

Teams data type connection.

Name Type Description
state

DataTypeState

Describe whether this data type connection is enabled or not.

TIDataConnector

Represents threat intelligence data connector.

Name Type Description
etag

string

Etag of the azure resource

id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

ThreatIntelligence

The data connector kind

name

string

The name of the resource

properties.dataTypes

TIDataConnectorDataTypes

The available data types for the connector.

properties.tenantId

string

The tenant id to connect to, and get the data from.

properties.tipLookbackPeriod

string

The lookback period for the feed to be imported.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

TIDataConnectorDataTypes

The available data types for TI (Threat Intelligence) data connector.

Name Type Description
indicators

Indicators

Data type for indicators connection.