Microsoft.SecurityInsights dataConnectors 2022-12-01-preview

Bicep resource definition

The dataConnectors resource type is an extension resource, which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.SecurityInsights/dataConnectors@2022-12-01-preview' = {
  name: 'string'
  kind: 'string'
  scope: resourceSymbolicName
  etag: 'string'
  // For remaining properties, see dataConnectors objects
}

dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

  kind: 'AmazonWebServicesCloudTrail'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
  }

For AmazonWebServicesS3, use:

  kind: 'AmazonWebServicesS3'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    destinationTable: 'string'
    roleArn: 'string'
    sqsUrls: [
      'string'
    ]
  }

For APIPolling, use:

  kind: 'APIPolling'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'IsConnectedQuery'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any()
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
    pollingConfig: {
      auth: {
        apiKeyIdentifier: 'string'
        apiKeyName: 'string'
        authorizationEndpoint: 'string'
        authorizationEndpointQueryParameters: any()
        authType: 'string'
        flowName: 'string'
        isApiKeyInPostPayload: 'string'
        isClientSecretInHeader: bool
        redirectionEndpoint: 'string'
        scope: 'string'
        tokenEndpoint: 'string'
        tokenEndpointHeaders: any()
        tokenEndpointQueryParameters: any()
      }
      isActive: bool
      paging: {
        nextPageParaName: 'string'
        nextPageTokenJsonPath: 'string'
        pageCountAttributePath: 'string'
        pageSize: int
        pageSizeParaName: 'string'
        pageTimeStampAttributePath: 'string'
        pageTotalCountAttributePath: 'string'
        pagingType: 'string'
        searchTheLatestTimeStampFromEventsList: 'string'
      }
      request: {
        apiEndpoint: 'string'
        endTimeAttributeName: 'string'
        headers: any()
        httpMethod: 'string'
        queryParameters: any()
        queryParametersTemplate: 'string'
        queryTimeFormat: 'string'
        queryWindowInMin: int
        rateLimitQps: int
        retryCount: int
        startTimeAttributeName: 'string'
        timeoutInSeconds: int
      }
      response: {
        eventsJsonPaths: [
          'string'
        ]
        isGzipCompressed: bool
        successStatusJsonPath: 'string'
        successStatusValue: 'string'
      }
    }
  }

For AzureActiveDirectory, use:

  kind: 'AzureActiveDirectory'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For AzureAdvancedThreatProtection, use:

  kind: 'AzureAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For AzureSecurityCenter, use:

  kind: 'AzureSecurityCenter'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }

For Dynamics365, use:

  kind: 'Dynamics365'
  properties: {
    dataTypes: {
      dynamics365CdsActivities: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For GenericUI, use:

  kind: 'GenericUI'
  properties: {
    connectorUiConfig: {
      availability: {
        isPreview: bool
        status: '1'
      }
      connectivityCriteria: [
        {
          type: 'IsConnectedQuery'
          value: [
            'string'
          ]
        }
      ]
      customImage: 'string'
      dataTypes: [
        {
          lastDataReceivedQuery: 'string'
          name: 'string'
        }
      ]
      descriptionMarkdown: 'string'
      graphQueries: [
        {
          baseQuery: 'string'
          legend: 'string'
          metricName: 'string'
        }
      ]
      graphQueriesTableName: 'string'
      instructionSteps: [
        {
          description: 'string'
          instructions: [
            {
              parameters: any()
              type: 'string'
            }
          ]
          title: 'string'
        }
      ]
      permissions: {
        customs: [
          {
            description: 'string'
            name: 'string'
          }
        ]
        resourceProvider: [
          {
            permissionsDisplayText: 'string'
            provider: 'string'
            providerDisplayName: 'string'
            requiredPermissions: {
              action: bool
              delete: bool
              read: bool
              write: bool
            }
            scope: 'string'
          }
        ]
      }
      publisher: 'string'
      sampleQueries: [
        {
          description: 'string'
          query: 'string'
        }
      ]
      title: 'string'
    }
  }

For IOT, use:

  kind: 'IOT'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    subscriptionId: 'string'
  }

For MicrosoftCloudAppSecurity, use:

  kind: 'MicrosoftCloudAppSecurity'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
      discoveryLogs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For MicrosoftDefenderAdvancedThreatProtection, use:

  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For MicrosoftThreatIntelligence, use:

  kind: 'MicrosoftThreatIntelligence'
  properties: {
    dataTypes: {
      bingSafetyPhishingURL: {
        lookbackPeriod: 'string'
        state: 'string'
      }
      microsoftEmergingThreatFeed: {
        lookbackPeriod: 'string'
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For MicrosoftThreatProtection, use:

  kind: 'MicrosoftThreatProtection'
  properties: {
    dataTypes: {
      incidents: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For Office365, use:

  kind: 'Office365'
  properties: {
    dataTypes: {
      exchange: {
        state: 'string'
      }
      sharePoint: {
        state: 'string'
      }
      teams: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For Office365Project, use:

  kind: 'Office365Project'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For OfficeATP, use:

  kind: 'OfficeATP'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For OfficeIRM, use:

  kind: 'OfficeIRM'
  properties: {
    dataTypes: {
      alerts: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For OfficePowerBI, use:

  kind: 'OfficePowerBI'
  properties: {
    dataTypes: {
      logs: {
        state: 'string'
      }
    }
    tenantId: 'string'
  }

For ThreatIntelligence, use:

  kind: 'ThreatIntelligence'
  properties: {
    dataTypes: {
      indicators: {
        state: 'string'
      }
    }
    tenantId: 'string'
    tipLookbackPeriod: 'string'
  }

For ThreatIntelligenceTaxii, use:

  kind: 'ThreatIntelligenceTaxii'
  properties: {
    collectionId: 'string'
    dataTypes: {
      taxiiClient: {
        state: 'string'
      }
    }
    friendlyName: 'string'
    password: 'string'
    pollingFrequency: 'string'
    taxiiLookbackPeriod: 'string'
    taxiiServer: 'string'
    tenantId: 'string'
    userName: 'string'
    workspaceId: 'string'
  }

Property values

dataConnectors

Name Description Value
name The resource name string (required)
kind Set the object type AmazonWebServicesCloudTrail
AmazonWebServicesS3
APIPolling
AzureActiveDirectory
AzureAdvancedThreatProtection
AzureSecurityCenter
Dynamics365
GenericUI
IOT
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatIntelligence
MicrosoftThreatProtection
Office365
Office365Project
OfficeATP
OfficeIRM
OfficePowerBI
ThreatIntelligence
ThreatIntelligenceTaxii (required)
scope Use when creating an extension resource at a scope that is different than the deployment scope. Target resource

For Bicep, set this property to the symbolic name of the resource to apply the extension resource.
etag Etag of the azure resource string

AwsCloudTrailDataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesCloudTrail' (required)
properties Amazon Web Services CloudTrail data connector properties. AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsCloudTrailDataConnectorDataTypes (required)

AwsCloudTrailDataConnectorDataTypes

Name Description Value
logs Logs data type. AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsS3DataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesS3' (required)
properties Amazon Web Services S3 data connector properties. AwsS3DataConnectorProperties

AwsS3DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsS3DataConnectorDataTypes (required)
destinationTable The logs destination table name in LogAnalytics. string (required)
roleArn The Aws Role Arn that is used to access the Aws account. string (required)
sqsUrls The AWS sqs urls for the connector. string[] (required)

AwsS3DataConnectorDataTypes

Name Description Value
logs Logs data type. AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

CodelessApiPollingDataConnector

Name Description Value
kind The data connector kind 'APIPolling' (required)
properties Codeless poling data connector properties ApiPollingParameters

ApiPollingParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties
pollingConfig Config to describe the polling instructions CodelessConnectorPollingConfigProperties

CodelessUiConnectorConfigProperties

Name Description Value
availability Connector Availability Status Availability (required)
connectivityCriteria Define the way the connector check connectivity CodelessUiConnectorConfigPropertiesConnectivityCrite...[] (required)
customImage An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery string
dataTypes Data types to check for last data received CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown Connector description string (required)
graphQueries The graph query to show the current data status CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName Name of the table the connector will insert the data to string (required)
instructionSteps Instruction steps to enable the connector CodelessUiConnectorConfigPropertiesInstructionStepsI...[] (required)
permissions Permissions required for the connector Permissions (required)
publisher Connector publisher name string (required)
sampleQueries The sample queries for the connector CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title Connector blade title string (required)

Availability

Name Description Value
isPreview Set connector as preview bool
status The connector Availability Status '1'

CodelessUiConnectorConfigPropertiesConnectivityCrite...

Name Description Value
type type of connectivity 'IsConnectedQuery'
value Queries for checking connectivity string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name Description Value
lastDataReceivedQuery Query for indicate last data received string
name Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name Description Value
baseQuery The base query for the graph string
legend The legend for the graph string
metricName the metric that the query is checking string

CodelessUiConnectorConfigPropertiesInstructionStepsI...

Name Description Value
description Instruction step description string
instructions Instruction step details InstructionStepsInstructionsItem[]
title Instruction step title string

InstructionStepsInstructionsItem

Name Description Value
parameters The parameters for the setting For Bicep, you can use the any() function.
type The kind of the setting 'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required)

Permissions

Name Description Value
customs Customs permissions required for the connector PermissionsCustomsItem[]
resourceProvider Resource provider permissions required for the connector PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name Description Value
description Customs permissions description string
name Customs permissions name string

PermissionsResourceProviderItem

Name Description Value
permissionsDisplayText Permission description text string
provider Provider name 'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys'
'microsoft.aadiam/diagnosticSettings'
providerDisplayName Permission provider display name string
requiredPermissions Required permissions for the connector RequiredPermissions
scope Permission provider scope 'ResourceGroup'
'Subscription'
'Workspace'

RequiredPermissions

Name Description Value
action action permission bool
delete delete permission bool
read read permission bool
write write permission bool

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name Description Value
description The sample query description string
query the sample query string

CodelessConnectorPollingConfigProperties

Name Description Value
auth Describe the authentication type of the poller CodelessConnectorPollingAuthProperties (required)
isActive The poller active status bool
paging Describe the poll request paging config of the poller CodelessConnectorPollingPagingProperties
request Describe the poll request config parameters of the poller CodelessConnectorPollingRequestProperties (required)
response Describe the response config parameters of the poller CodelessConnectorPollingResponseProperties

CodelessConnectorPollingAuthProperties

Name Description Value
apiKeyIdentifier A prefix send in the header before the actual token string
apiKeyName The header name which the token is sent with string
authorizationEndpoint The endpoint used to authorize the user, used in Oauth 2.0 flow string
authorizationEndpointQueryParameters The query parameters used in authorization request, used in Oauth 2.0 flow For Bicep, you can use the any() function.
authType The authentication type string (required)
flowName Describes the flow name, for example 'AuthCode' for Oauth 2.0 string
isApiKeyInPostPayload Marks if the key should sent in header string
isClientSecretInHeader Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow bool
redirectionEndpoint The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow string
scope The OAuth token scope string
tokenEndpoint The endpoint used to issue a token, used in Oauth 2.0 flow string
tokenEndpointHeaders The query headers used in token request, used in Oauth 2.0 flow For Bicep, you can use the any() function.
tokenEndpointQueryParameters The query parameters used in token request, used in Oauth 2.0 flow For Bicep, you can use the any() function.

CodelessConnectorPollingPagingProperties

Name Description Value
nextPageParaName Defines the name of a next page attribute string
nextPageTokenJsonPath Defines the path to a next page token JSON string
pageCountAttributePath Defines the path to a page count attribute string
pageSize Defines the paging size int
pageSizeParaName Defines the name of the page size parameter string
pageTimeStampAttributePath Defines the path to a paging time stamp attribute string
pageTotalCountAttributePath Defines the path to a page total count attribute string
pagingType Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' string (required)
searchTheLatestTimeStampFromEventsList Determines whether to search for the latest time stamp in the events list string

CodelessConnectorPollingRequestProperties

Name Description Value
apiEndpoint Describe the endpoint we should pull the data from string (required)
endTimeAttributeName This will be used the query events from the end of the time window string
headers Describe the headers sent in the poll request For Bicep, you can use the any() function.
httpMethod The http method type we will use in the poll request, GET or POST string (required)
queryParameters Describe the query parameters sent in the poll request For Bicep, you can use the any() function.
queryParametersTemplate For advanced scenarios for example user name/password embedded in nested JSON payload string
queryTimeFormat The time format will be used the query events in a specific window string (required)
queryWindowInMin The window interval we will use the pull the data int (required)
rateLimitQps Defines the rate limit QPS int
retryCount Describe the amount of time we should try and poll the data in case of failure int
startTimeAttributeName This will be used the query events from a start of the time window string
timeoutInSeconds The number of seconds we will consider as a request timeout int

CodelessConnectorPollingResponseProperties

Name Description Value
eventsJsonPaths Describes the path we should extract the data in the response string[] (required)
isGzipCompressed Describes if the data in the response is Gzip bool
successStatusJsonPath Describes the path we should extract the status code in the response string
successStatusValue Describes the path we should extract the status value in the response string

AADDataConnector

Name Description Value
kind The data connector kind 'AzureActiveDirectory' (required)
properties AAD (Azure Active Directory) data connector properties. AADDataConnectorProperties

AADDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AlertsDataTypeOfDataConnector

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)

DataConnectorDataTypeCommon

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AatpDataConnector

Name Description Value
kind The data connector kind 'AzureAdvancedThreatProtection' (required)
properties AATP (Azure Advanced Threat Protection) data connector properties. AatpDataConnectorProperties

AatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

ASCDataConnector

Name Description Value
kind The data connector kind 'AzureSecurityCenter' (required)
properties ASC (Azure Security Center) data connector properties. ASCDataConnectorProperties

ASCDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

Dynamics365DataConnector

Name Description Value
kind The data connector kind 'Dynamics365' (required)
properties Dynamics365 data connector properties. Dynamics365DataConnectorProperties

Dynamics365DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Dynamics365DataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

Dynamics365DataConnectorDataTypes

Name Description Value
dynamics365CdsActivities Common Data Service data type connection. Dynamics365DataConnectorDataTypesDynamics365CdsActiv... (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActiv...

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

CodelessUiDataConnector

Name Description Value
kind The data connector kind 'GenericUI' (required)
properties Codeless UI data connector properties CodelessParameters

CodelessParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties

IoTDataConnector

Name Description Value
kind The data connector kind 'IOT' (required)
properties IoT data connector properties. IoTDataConnectorProperties

IoTDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

McasDataConnector

Name Description Value
kind The data connector kind 'MicrosoftCloudAppSecurity' (required)
properties MCAS (Microsoft Cloud App Security) data connector properties. McasDataConnectorProperties

McasDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. McasDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

McasDataConnectorDataTypes

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)
discoveryLogs Discovery log data type connection. DataConnectorDataTypeCommon

MdatpDataConnector

Name Description Value
kind The data connector kind 'MicrosoftDefenderAdvancedThreatProtection' (required)
properties MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatIntelligence' (required)
properties Microsoft Threat Intelligence data connector properties. MstiDataConnectorProperties

MstiDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MstiDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnectorDataTypes

Name Description Value
bingSafetyPhishingURL Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesMicrosoftEmergingThreatFee... (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name Description Value
lookbackPeriod lookback period string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFee...

Name Description Value
lookbackPeriod lookback period string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatProtection' (required)
properties MTP (Microsoft Threat Protection) data connector properties. MTPDataConnectorProperties

MTPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MTPDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MTPDataConnectorDataTypes

Name Description Value
incidents Data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnector

Name Description Value
kind The data connector kind 'Office365' (required)
properties Office data connector properties. OfficeDataConnectorProperties

OfficeDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficeDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeDataConnectorDataTypes

Name Description Value
exchange Exchange data type connection. OfficeDataConnectorDataTypesExchange (required)
sharePoint SharePoint data type connection. OfficeDataConnectorDataTypesSharePoint (required)
teams Teams data type connection. OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Office365ProjectDataConnector

Name Description Value
kind The data connector kind 'Office365Project' (required)
properties Office Microsoft Project data connector properties. Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Office365ProjectConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

Office365ProjectConnectorDataTypes

Name Description Value
logs Logs data type. Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeATPDataConnector

Name Description Value
kind The data connector kind 'OfficeATP' (required)
properties OfficeATP (Office 365 Advanced Threat Protection) data connector properties. OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeIRMDataConnector

Name Description Value
kind The data connector kind 'OfficeIRM' (required)
properties OfficeIRM (Microsoft Insider Risk Management) data connector properties. OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIDataConnector

Name Description Value
kind The data connector kind 'OfficePowerBI' (required)
properties Office Microsoft PowerBI data connector properties. OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficePowerBIConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIConnectorDataTypes

Name Description Value
logs Logs data type. OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TIDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligence' (required)
properties TI (Threat Intelligence) data connector properties. TIDataConnectorProperties

TIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. TIDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)
tipLookbackPeriod The lookback period for the feed to be imported. string

TIDataConnectorDataTypes

Name Description Value
indicators Data type for indicators connection. TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TiTaxiiDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligenceTaxii' (required)
properties Threat intelligence TAXII data connector properties. TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorProperties

Name Description Value
collectionId The collection id of the TAXII server. string
dataTypes The available data types for Threat Intelligence TAXII data connector. TiTaxiiDataConnectorDataTypes (required)
friendlyName The friendly name for the TAXII server. string
password The password for the TAXII server. string
pollingFrequency The polling frequency for the TAXII server. 'OnceADay'
'OnceAMinute'
'OnceAnHour' (required)
taxiiLookbackPeriod The lookback period for the TAXII server. string
taxiiServer The API root for the TAXII server. string
tenantId The tenant id to connect to, and get the data from. string (required)
userName The userName for the TAXII server. string
workspaceId The workspace id. string

TiTaxiiDataConnectorDataTypes

Name Description Value
taxiiClient Data type for TAXII connector. TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

ARM template resource definition

The dataConnectors resource type is an extension resource, which means you can apply it to another resource.

Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following JSON to your template.

{
  "type": "Microsoft.SecurityInsights/dataConnectors",
  "apiVersion": "2022-12-01-preview",
  "name": "string",
  "kind": "string",
  "scope": "string",
  "etag": "string",
  // For remaining properties, see dataConnectors objects
}

dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

  "kind": "AmazonWebServicesCloudTrail",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    }
  }

For AmazonWebServicesS3, use:

  "kind": "AmazonWebServicesS3",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "destinationTable": "string",
    "roleArn": "string",
    "sqsUrls": [ "string" ]
  }

For APIPolling, use:

  "kind": "APIPolling",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "IsConnectedQuery",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    },
    "pollingConfig": {
      "auth": {
        "apiKeyIdentifier": "string",
        "apiKeyName": "string",
        "authorizationEndpoint": "string",
        "authorizationEndpointQueryParameters": {},
        "authType": "string",
        "flowName": "string",
        "isApiKeyInPostPayload": "string",
        "isClientSecretInHeader": "bool",
        "redirectionEndpoint": "string",
        "scope": "string",
        "tokenEndpoint": "string",
        "tokenEndpointHeaders": {},
        "tokenEndpointQueryParameters": {}
      },
      "isActive": "bool",
      "paging": {
        "nextPageParaName": "string",
        "nextPageTokenJsonPath": "string",
        "pageCountAttributePath": "string",
        "pageSize": "int",
        "pageSizeParaName": "string",
        "pageTimeStampAttributePath": "string",
        "pageTotalCountAttributePath": "string",
        "pagingType": "string",
        "searchTheLatestTimeStampFromEventsList": "string"
      },
      "request": {
        "apiEndpoint": "string",
        "endTimeAttributeName": "string",
        "headers": {},
        "httpMethod": "string",
        "queryParameters": {},
        "queryParametersTemplate": "string",
        "queryTimeFormat": "string",
        "queryWindowInMin": "int",
        "rateLimitQps": "int",
        "retryCount": "int",
        "startTimeAttributeName": "string",
        "timeoutInSeconds": "int"
      },
      "response": {
        "eventsJsonPaths": [ "string" ],
        "isGzipCompressed": "bool",
        "successStatusJsonPath": "string",
        "successStatusValue": "string"
      }
    }
  }

For AzureActiveDirectory, use:

  "kind": "AzureActiveDirectory",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For AzureAdvancedThreatProtection, use:

  "kind": "AzureAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For AzureSecurityCenter, use:

  "kind": "AzureSecurityCenter",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }

For Dynamics365, use:

  "kind": "Dynamics365",
  "properties": {
    "dataTypes": {
      "dynamics365CdsActivities": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For GenericUI, use:

  "kind": "GenericUI",
  "properties": {
    "connectorUiConfig": {
      "availability": {
        "isPreview": "bool",
        "status": "1"
      },
      "connectivityCriteria": [
        {
          "type": "IsConnectedQuery",
          "value": [ "string" ]
        }
      ],
      "customImage": "string",
      "dataTypes": [
        {
          "lastDataReceivedQuery": "string",
          "name": "string"
        }
      ],
      "descriptionMarkdown": "string",
      "graphQueries": [
        {
          "baseQuery": "string",
          "legend": "string",
          "metricName": "string"
        }
      ],
      "graphQueriesTableName": "string",
      "instructionSteps": [
        {
          "description": "string",
          "instructions": [
            {
              "parameters": {},
              "type": "string"
            }
          ],
          "title": "string"
        }
      ],
      "permissions": {
        "customs": [
          {
            "description": "string",
            "name": "string"
          }
        ],
        "resourceProvider": [
          {
            "permissionsDisplayText": "string",
            "provider": "string",
            "providerDisplayName": "string",
            "requiredPermissions": {
              "action": "bool",
              "delete": "bool",
              "read": "bool",
              "write": "bool"
            },
            "scope": "string"
          }
        ]
      },
      "publisher": "string",
      "sampleQueries": [
        {
          "description": "string",
          "query": "string"
        }
      ],
      "title": "string"
    }
  }

For IOT, use:

  "kind": "IOT",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "subscriptionId": "string"
  }

For MicrosoftCloudAppSecurity, use:

  "kind": "MicrosoftCloudAppSecurity",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      },
      "discoveryLogs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For MicrosoftDefenderAdvancedThreatProtection, use:

  "kind": "MicrosoftDefenderAdvancedThreatProtection",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For MicrosoftThreatIntelligence, use:

  "kind": "MicrosoftThreatIntelligence",
  "properties": {
    "dataTypes": {
      "bingSafetyPhishingURL": {
        "lookbackPeriod": "string",
        "state": "string"
      },
      "microsoftEmergingThreatFeed": {
        "lookbackPeriod": "string",
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For MicrosoftThreatProtection, use:

  "kind": "MicrosoftThreatProtection",
  "properties": {
    "dataTypes": {
      "incidents": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For Office365, use:

  "kind": "Office365",
  "properties": {
    "dataTypes": {
      "exchange": {
        "state": "string"
      },
      "sharePoint": {
        "state": "string"
      },
      "teams": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For Office365Project, use:

  "kind": "Office365Project",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For OfficeATP, use:

  "kind": "OfficeATP",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For OfficeIRM, use:

  "kind": "OfficeIRM",
  "properties": {
    "dataTypes": {
      "alerts": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For OfficePowerBI, use:

  "kind": "OfficePowerBI",
  "properties": {
    "dataTypes": {
      "logs": {
        "state": "string"
      }
    },
    "tenantId": "string"
  }

For ThreatIntelligence, use:

  "kind": "ThreatIntelligence",
  "properties": {
    "dataTypes": {
      "indicators": {
        "state": "string"
      }
    },
    "tenantId": "string",
    "tipLookbackPeriod": "string"
  }

For ThreatIntelligenceTaxii, use:

  "kind": "ThreatIntelligenceTaxii",
  "properties": {
    "collectionId": "string",
    "dataTypes": {
      "taxiiClient": {
        "state": "string"
      }
    },
    "friendlyName": "string",
    "password": "string",
    "pollingFrequency": "string",
    "taxiiLookbackPeriod": "string",
    "taxiiServer": "string",
    "tenantId": "string",
    "userName": "string",
    "workspaceId": "string"
  }

Property values

dataConnectors

Name Description Value
type The resource type 'Microsoft.SecurityInsights/dataConnectors'
apiVersion The resource api version '2022-12-01-preview'
name The resource name string (required)
kind Set the object type AmazonWebServicesCloudTrail
AmazonWebServicesS3
APIPolling
AzureActiveDirectory
AzureAdvancedThreatProtection
AzureSecurityCenter
Dynamics365
GenericUI
IOT
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatIntelligence
MicrosoftThreatProtection
Office365
Office365Project
OfficeATP
OfficeIRM
OfficePowerBI
ThreatIntelligence
ThreatIntelligenceTaxii (required)
scope Use when creating an extension resource at a scope that is different than the deployment scope. Target resource

For JSON, set the value to the full name of the resource to apply the extension resource to.
etag Etag of the azure resource string

AwsCloudTrailDataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesCloudTrail' (required)
properties Amazon Web Services CloudTrail data connector properties. AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsCloudTrailDataConnectorDataTypes (required)

AwsCloudTrailDataConnectorDataTypes

Name Description Value
logs Logs data type. AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AwsS3DataConnector

Name Description Value
kind The data connector kind 'AmazonWebServicesS3' (required)
properties Amazon Web Services S3 data connector properties. AwsS3DataConnectorProperties

AwsS3DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsS3DataConnectorDataTypes (required)
destinationTable The logs destination table name in LogAnalytics. string (required)
roleArn The Aws Role Arn that is used to access the Aws account. string (required)
sqsUrls The AWS sqs urls for the connector. string[] (required)

AwsS3DataConnectorDataTypes

Name Description Value
logs Logs data type. AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

CodelessApiPollingDataConnector

Name Description Value
kind The data connector kind 'APIPolling' (required)
properties Codeless poling data connector properties ApiPollingParameters

ApiPollingParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties
pollingConfig Config to describe the polling instructions CodelessConnectorPollingConfigProperties

CodelessUiConnectorConfigProperties

Name Description Value
availability Connector Availability Status Availability (required)
connectivityCriteria Define the way the connector check connectivity CodelessUiConnectorConfigPropertiesConnectivityCrite...[] (required)
customImage An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery string
dataTypes Data types to check for last data received CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown Connector description string (required)
graphQueries The graph query to show the current data status CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName Name of the table the connector will insert the data to string (required)
instructionSteps Instruction steps to enable the connector CodelessUiConnectorConfigPropertiesInstructionStepsI...[] (required)
permissions Permissions required for the connector Permissions (required)
publisher Connector publisher name string (required)
sampleQueries The sample queries for the connector CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title Connector blade title string (required)

Availability

Name Description Value
isPreview Set connector as preview bool
status The connector Availability Status '1'

CodelessUiConnectorConfigPropertiesConnectivityCrite...

Name Description Value
type type of connectivity 'IsConnectedQuery'
value Queries for checking connectivity string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name Description Value
lastDataReceivedQuery Query for indicate last data received string
name Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name Description Value
baseQuery The base query for the graph string
legend The legend for the graph string
metricName the metric that the query is checking string

CodelessUiConnectorConfigPropertiesInstructionStepsI...

Name Description Value
description Instruction step description string
instructions Instruction step details InstructionStepsInstructionsItem[]
title Instruction step title string

InstructionStepsInstructionsItem

Name Description Value
parameters The parameters for the setting
type The kind of the setting 'CopyableLabel'
'InfoMessage'
'InstructionStepsGroup' (required)

Permissions

Name Description Value
customs Customs permissions required for the connector PermissionsCustomsItem[]
resourceProvider Resource provider permissions required for the connector PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name Description Value
description Customs permissions description string
name Customs permissions name string

PermissionsResourceProviderItem

Name Description Value
permissionsDisplayText Permission description text string
provider Provider name 'Microsoft.Authorization/policyAssignments'
'Microsoft.OperationalInsights/solutions'
'Microsoft.OperationalInsights/workspaces'
'Microsoft.OperationalInsights/workspaces/datasources'
'Microsoft.OperationalInsights/workspaces/sharedKeys'
'microsoft.aadiam/diagnosticSettings'
providerDisplayName Permission provider display name string
requiredPermissions Required permissions for the connector RequiredPermissions
scope Permission provider scope 'ResourceGroup'
'Subscription'
'Workspace'

RequiredPermissions

Name Description Value
action action permission bool
delete delete permission bool
read read permission bool
write write permission bool

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name Description Value
description The sample query description string
query the sample query string

CodelessConnectorPollingConfigProperties

Name Description Value
auth Describe the authentication type of the poller CodelessConnectorPollingAuthProperties (required)
isActive The poller active status bool
paging Describe the poll request paging config of the poller CodelessConnectorPollingPagingProperties
request Describe the poll request config parameters of the poller CodelessConnectorPollingRequestProperties (required)
response Describe the response config parameters of the poller CodelessConnectorPollingResponseProperties

CodelessConnectorPollingAuthProperties

Name Description Value
apiKeyIdentifier A prefix send in the header before the actual token string
apiKeyName The header name which the token is sent with string
authorizationEndpoint The endpoint used to authorize the user, used in Oauth 2.0 flow string
authorizationEndpointQueryParameters The query parameters used in authorization request, used in Oauth 2.0 flow
authType The authentication type string (required)
flowName Describes the flow name, for example 'AuthCode' for Oauth 2.0 string
isApiKeyInPostPayload Marks if the key should sent in header string
isClientSecretInHeader Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow bool
redirectionEndpoint The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow string
scope The OAuth token scope string
tokenEndpoint The endpoint used to issue a token, used in Oauth 2.0 flow string
tokenEndpointHeaders The query headers used in token request, used in Oauth 2.0 flow
tokenEndpointQueryParameters The query parameters used in token request, used in Oauth 2.0 flow

CodelessConnectorPollingPagingProperties

Name Description Value
nextPageParaName Defines the name of a next page attribute string
nextPageTokenJsonPath Defines the path to a next page token JSON string
pageCountAttributePath Defines the path to a page count attribute string
pageSize Defines the paging size int
pageSizeParaName Defines the name of the page size parameter string
pageTimeStampAttributePath Defines the path to a paging time stamp attribute string
pageTotalCountAttributePath Defines the path to a page total count attribute string
pagingType Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' string (required)
searchTheLatestTimeStampFromEventsList Determines whether to search for the latest time stamp in the events list string

CodelessConnectorPollingRequestProperties

Name Description Value
apiEndpoint Describe the endpoint we should pull the data from string (required)
endTimeAttributeName This will be used the query events from the end of the time window string
headers Describe the headers sent in the poll request
httpMethod The http method type we will use in the poll request, GET or POST string (required)
queryParameters Describe the query parameters sent in the poll request
queryParametersTemplate For advanced scenarios for example user name/password embedded in nested JSON payload string
queryTimeFormat The time format will be used the query events in a specific window string (required)
queryWindowInMin The window interval we will use the pull the data int (required)
rateLimitQps Defines the rate limit QPS int
retryCount Describe the amount of time we should try and poll the data in case of failure int
startTimeAttributeName This will be used the query events from a start of the time window string
timeoutInSeconds The number of seconds we will consider as a request timeout int

CodelessConnectorPollingResponseProperties

Name Description Value
eventsJsonPaths Describes the path we should extract the data in the response string[] (required)
isGzipCompressed Describes if the data in the response is Gzip bool
successStatusJsonPath Describes the path we should extract the status code in the response string
successStatusValue Describes the path we should extract the status value in the response string

AADDataConnector

Name Description Value
kind The data connector kind 'AzureActiveDirectory' (required)
properties AAD (Azure Active Directory) data connector properties. AADDataConnectorProperties

AADDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AlertsDataTypeOfDataConnector

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)

DataConnectorDataTypeCommon

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

AatpDataConnector

Name Description Value
kind The data connector kind 'AzureAdvancedThreatProtection' (required)
properties AATP (Azure Advanced Threat Protection) data connector properties. AatpDataConnectorProperties

AatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

ASCDataConnector

Name Description Value
kind The data connector kind 'AzureSecurityCenter' (required)
properties ASC (Azure Security Center) data connector properties. ASCDataConnectorProperties

ASCDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

Dynamics365DataConnector

Name Description Value
kind The data connector kind 'Dynamics365' (required)
properties Dynamics365 data connector properties. Dynamics365DataConnectorProperties

Dynamics365DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Dynamics365DataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

Dynamics365DataConnectorDataTypes

Name Description Value
dynamics365CdsActivities Common Data Service data type connection. Dynamics365DataConnectorDataTypesDynamics365CdsActiv... (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActiv...

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

CodelessUiDataConnector

Name Description Value
kind The data connector kind 'GenericUI' (required)
properties Codeless UI data connector properties CodelessParameters

CodelessParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties

IoTDataConnector

Name Description Value
kind The data connector kind 'IOT' (required)
properties IoT data connector properties. IoTDataConnectorProperties

IoTDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

McasDataConnector

Name Description Value
kind The data connector kind 'MicrosoftCloudAppSecurity' (required)
properties MCAS (Microsoft Cloud App Security) data connector properties. McasDataConnectorProperties

McasDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. McasDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

McasDataConnectorDataTypes

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)
discoveryLogs Discovery log data type connection. DataConnectorDataTypeCommon

MdatpDataConnector

Name Description Value
kind The data connector kind 'MicrosoftDefenderAdvancedThreatProtection' (required)
properties MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatIntelligence' (required)
properties Microsoft Threat Intelligence data connector properties. MstiDataConnectorProperties

MstiDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MstiDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnectorDataTypes

Name Description Value
bingSafetyPhishingURL Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesMicrosoftEmergingThreatFee... (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name Description Value
lookbackPeriod lookback period string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFee...

Name Description Value
lookbackPeriod lookback period string (required)
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

MTPDataConnector

Name Description Value
kind The data connector kind 'MicrosoftThreatProtection' (required)
properties MTP (Microsoft Threat Protection) data connector properties. MTPDataConnectorProperties

MTPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MTPDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MTPDataConnectorDataTypes

Name Description Value
incidents Data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnector

Name Description Value
kind The data connector kind 'Office365' (required)
properties Office data connector properties. OfficeDataConnectorProperties

OfficeDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficeDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeDataConnectorDataTypes

Name Description Value
exchange Exchange data type connection. OfficeDataConnectorDataTypesExchange (required)
sharePoint SharePoint data type connection. OfficeDataConnectorDataTypesSharePoint (required)
teams Teams data type connection. OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesSharePoint

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeDataConnectorDataTypesTeams

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Office365ProjectDataConnector

Name Description Value
kind The data connector kind 'Office365Project' (required)
properties Office Microsoft Project data connector properties. Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Office365ProjectConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

Office365ProjectConnectorDataTypes

Name Description Value
logs Logs data type. Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

OfficeATPDataConnector

Name Description Value
kind The data connector kind 'OfficeATP' (required)
properties OfficeATP (Office 365 Advanced Threat Protection) data connector properties. OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeIRMDataConnector

Name Description Value
kind The data connector kind 'OfficeIRM' (required)
properties OfficeIRM (Microsoft Insider Risk Management) data connector properties. OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIDataConnector

Name Description Value
kind The data connector kind 'OfficePowerBI' (required)
properties Office Microsoft PowerBI data connector properties. OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficePowerBIConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIConnectorDataTypes

Name Description Value
logs Logs data type. OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TIDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligence' (required)
properties TI (Threat Intelligence) data connector properties. TIDataConnectorProperties

TIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. TIDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)
tipLookbackPeriod The lookback period for the feed to be imported. string

TIDataConnectorDataTypes

Name Description Value
indicators Data type for indicators connection. TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

TiTaxiiDataConnector

Name Description Value
kind The data connector kind 'ThreatIntelligenceTaxii' (required)
properties Threat intelligence TAXII data connector properties. TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorProperties

Name Description Value
collectionId The collection id of the TAXII server. string
dataTypes The available data types for Threat Intelligence TAXII data connector. TiTaxiiDataConnectorDataTypes (required)
friendlyName The friendly name for the TAXII server. string
password The password for the TAXII server. string
pollingFrequency The polling frequency for the TAXII server. 'OnceADay'
'OnceAMinute'
'OnceAnHour' (required)
taxiiLookbackPeriod The lookback period for the TAXII server. string
taxiiServer The API root for the TAXII server. string
tenantId The tenant id to connect to, and get the data from. string (required)
userName The userName for the TAXII server. string
workspaceId The workspace id. string

TiTaxiiDataConnectorDataTypes

Name Description Value
taxiiClient Data type for TAXII connector. TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name Description Value
state Describe whether this data type connection is enabled or not. 'Disabled'
'Enabled' (required)

Terraform (AzAPI provider) resource definition

The dataConnectors resource type is an extension resource, which means you can apply it to another resource.

Use the parent_id property on this resource to set the scope for this resource.

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.SecurityInsights/dataConnectors resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.SecurityInsights/dataConnectors@2022-12-01-preview"
  name = "string"
  parent_id = "string"
  // For remaining properties, see dataConnectors objects
  body = jsonencode({
    kind = "string"
    etag = "string"
  })
}

dataConnectors objects

Set the kind property to specify the type of object.

For AmazonWebServicesCloudTrail, use:

  kind = "AmazonWebServicesCloudTrail"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
  }

For AmazonWebServicesS3, use:

  kind = "AmazonWebServicesS3"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    destinationTable = "string"
    roleArn = "string"
    sqsUrls = [
      "string"
    ]
  }

For APIPolling, use:

  kind = "APIPolling"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "IsConnectedQuery"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
    pollingConfig = {
      auth = {
        apiKeyIdentifier = "string"
        apiKeyName = "string"
        authorizationEndpoint = "string"
        authType = "string"
        flowName = "string"
        isApiKeyInPostPayload = "string"
        isClientSecretInHeader = bool
        redirectionEndpoint = "string"
        scope = "string"
        tokenEndpoint = "string"
      }
      isActive = bool
      paging = {
        nextPageParaName = "string"
        nextPageTokenJsonPath = "string"
        pageCountAttributePath = "string"
        pageSize = int
        pageSizeParaName = "string"
        pageTimeStampAttributePath = "string"
        pageTotalCountAttributePath = "string"
        pagingType = "string"
        searchTheLatestTimeStampFromEventsList = "string"
      }
      request = {
        apiEndpoint = "string"
        endTimeAttributeName = "string"
        httpMethod = "string"
        queryParametersTemplate = "string"
        queryTimeFormat = "string"
        queryWindowInMin = int
        rateLimitQps = int
        retryCount = int
        startTimeAttributeName = "string"
        timeoutInSeconds = int
      }
      response = {
        eventsJsonPaths = [
          "string"
        ]
        isGzipCompressed = bool
        successStatusJsonPath = "string"
        successStatusValue = "string"
      }
    }
  }

For AzureActiveDirectory, use:

  kind = "AzureActiveDirectory"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For AzureAdvancedThreatProtection, use:

  kind = "AzureAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For AzureSecurityCenter, use:

  kind = "AzureSecurityCenter"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }

For Dynamics365, use:

  kind = "Dynamics365"
  properties = {
    dataTypes = {
      dynamics365CdsActivities = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For GenericUI, use:

  kind = "GenericUI"
  properties = {
    connectorUiConfig = {
      availability = {
        isPreview = bool
        status = "1"
      }
      connectivityCriteria = [
        {
          type = "IsConnectedQuery"
          value = [
            "string"
          ]
        }
      ]
      customImage = "string"
      dataTypes = [
        {
          lastDataReceivedQuery = "string"
          name = "string"
        }
      ]
      descriptionMarkdown = "string"
      graphQueries = [
        {
          baseQuery = "string"
          legend = "string"
          metricName = "string"
        }
      ]
      graphQueriesTableName = "string"
      instructionSteps = [
        {
          description = "string"
          instructions = [
            {
              type = "string"
            }
          ]
          title = "string"
        }
      ]
      permissions = {
        customs = [
          {
            description = "string"
            name = "string"
          }
        ]
        resourceProvider = [
          {
            permissionsDisplayText = "string"
            provider = "string"
            providerDisplayName = "string"
            requiredPermissions = {
              action = bool
              delete = bool
              read = bool
              write = bool
            }
            scope = "string"
          }
        ]
      }
      publisher = "string"
      sampleQueries = [
        {
          description = "string"
          query = "string"
        }
      ]
      title = "string"
    }
  }

For IOT, use:

  kind = "IOT"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    subscriptionId = "string"
  }

For MicrosoftCloudAppSecurity, use:

  kind = "MicrosoftCloudAppSecurity"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
      discoveryLogs = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For MicrosoftDefenderAdvancedThreatProtection, use:

  kind = "MicrosoftDefenderAdvancedThreatProtection"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For MicrosoftThreatIntelligence, use:

  kind = "MicrosoftThreatIntelligence"
  properties = {
    dataTypes = {
      bingSafetyPhishingURL = {
        lookbackPeriod = "string"
        state = "string"
      }
      microsoftEmergingThreatFeed = {
        lookbackPeriod = "string"
        state = "string"
      }
    }
    tenantId = "string"
  }

For MicrosoftThreatProtection, use:

  kind = "MicrosoftThreatProtection"
  properties = {
    dataTypes = {
      incidents = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For Office365, use:

  kind = "Office365"
  properties = {
    dataTypes = {
      exchange = {
        state = "string"
      }
      sharePoint = {
        state = "string"
      }
      teams = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For Office365Project, use:

  kind = "Office365Project"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For OfficeATP, use:

  kind = "OfficeATP"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For OfficeIRM, use:

  kind = "OfficeIRM"
  properties = {
    dataTypes = {
      alerts = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For OfficePowerBI, use:

  kind = "OfficePowerBI"
  properties = {
    dataTypes = {
      logs = {
        state = "string"
      }
    }
    tenantId = "string"
  }

For ThreatIntelligence, use:

  kind = "ThreatIntelligence"
  properties = {
    dataTypes = {
      indicators = {
        state = "string"
      }
    }
    tenantId = "string"
    tipLookbackPeriod = "string"
  }

For ThreatIntelligenceTaxii, use:

  kind = "ThreatIntelligenceTaxii"
  properties = {
    collectionId = "string"
    dataTypes = {
      taxiiClient = {
        state = "string"
      }
    }
    friendlyName = "string"
    password = "string"
    pollingFrequency = "string"
    taxiiLookbackPeriod = "string"
    taxiiServer = "string"
    tenantId = "string"
    userName = "string"
    workspaceId = "string"
  }

Property values

dataConnectors

Name Description Value
type The resource type "Microsoft.SecurityInsights/dataConnectors@2022-12-01-preview"
name The resource name string (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
kind Set the object type AmazonWebServicesCloudTrail
AmazonWebServicesS3
APIPolling
AzureActiveDirectory
AzureAdvancedThreatProtection
AzureSecurityCenter
Dynamics365
GenericUI
IOT
MicrosoftCloudAppSecurity
MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatIntelligence
MicrosoftThreatProtection
Office365
Office365Project
OfficeATP
OfficeIRM
OfficePowerBI
ThreatIntelligence
ThreatIntelligenceTaxii (required)
etag Etag of the azure resource string

AwsCloudTrailDataConnector

Name Description Value
kind The data connector kind "AmazonWebServicesCloudTrail" (required)
properties Amazon Web Services CloudTrail data connector properties. AwsCloudTrailDataConnectorProperties

AwsCloudTrailDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsCloudTrailDataConnectorDataTypes (required)

AwsCloudTrailDataConnectorDataTypes

Name Description Value
logs Logs data type. AwsCloudTrailDataConnectorDataTypesLogs (required)

AwsCloudTrailDataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

AwsS3DataConnector

Name Description Value
kind The data connector kind "AmazonWebServicesS3" (required)
properties Amazon Web Services S3 data connector properties. AwsS3DataConnectorProperties

AwsS3DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AwsS3DataConnectorDataTypes (required)
destinationTable The logs destination table name in LogAnalytics. string (required)
roleArn The Aws Role Arn that is used to access the Aws account. string (required)
sqsUrls The AWS sqs urls for the connector. string[] (required)

AwsS3DataConnectorDataTypes

Name Description Value
logs Logs data type. AwsS3DataConnectorDataTypesLogs (required)

AwsS3DataConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

CodelessApiPollingDataConnector

Name Description Value
kind The data connector kind "APIPolling" (required)
properties Codeless poling data connector properties ApiPollingParameters

ApiPollingParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties
pollingConfig Config to describe the polling instructions CodelessConnectorPollingConfigProperties

CodelessUiConnectorConfigProperties

Name Description Value
availability Connector Availability Status Availability (required)
connectivityCriteria Define the way the connector check connectivity CodelessUiConnectorConfigPropertiesConnectivityCrite...[] (required)
customImage An optional custom image to be used when displaying the connector within Azure Sentinel's connector's gallery string
dataTypes Data types to check for last data received CodelessUiConnectorConfigPropertiesDataTypesItem[] (required)
descriptionMarkdown Connector description string (required)
graphQueries The graph query to show the current data status CodelessUiConnectorConfigPropertiesGraphQueriesItem[] (required)
graphQueriesTableName Name of the table the connector will insert the data to string (required)
instructionSteps Instruction steps to enable the connector CodelessUiConnectorConfigPropertiesInstructionStepsI...[] (required)
permissions Permissions required for the connector Permissions (required)
publisher Connector publisher name string (required)
sampleQueries The sample queries for the connector CodelessUiConnectorConfigPropertiesSampleQueriesItem[] (required)
title Connector blade title string (required)

Availability

Name Description Value
isPreview Set connector as preview bool
status The connector Availability Status "1"

CodelessUiConnectorConfigPropertiesConnectivityCrite...

Name Description Value
type type of connectivity "IsConnectedQuery"
value Queries for checking connectivity string[]

CodelessUiConnectorConfigPropertiesDataTypesItem

Name Description Value
lastDataReceivedQuery Query for indicate last data received string
name Name of the data type to show in the graph. can be use with {{graphQueriesTableName}} placeholder string

CodelessUiConnectorConfigPropertiesGraphQueriesItem

Name Description Value
baseQuery The base query for the graph string
legend The legend for the graph string
metricName the metric that the query is checking string

CodelessUiConnectorConfigPropertiesInstructionStepsI...

Name Description Value
description Instruction step description string
instructions Instruction step details InstructionStepsInstructionsItem[]
title Instruction step title string

InstructionStepsInstructionsItem

Name Description Value
parameters The parameters for the setting
type The kind of the setting "CopyableLabel"
"InfoMessage"
"InstructionStepsGroup" (required)

Permissions

Name Description Value
customs Customs permissions required for the connector PermissionsCustomsItem[]
resourceProvider Resource provider permissions required for the connector PermissionsResourceProviderItem[]

PermissionsCustomsItem

Name Description Value
description Customs permissions description string
name Customs permissions name string

PermissionsResourceProviderItem

Name Description Value
permissionsDisplayText Permission description text string
provider Provider name "Microsoft.Authorization/policyAssignments"
"Microsoft.OperationalInsights/solutions"
"Microsoft.OperationalInsights/workspaces"
"Microsoft.OperationalInsights/workspaces/datasources"
"Microsoft.OperationalInsights/workspaces/sharedKeys"
"microsoft.aadiam/diagnosticSettings"
providerDisplayName Permission provider display name string
requiredPermissions Required permissions for the connector RequiredPermissions
scope Permission provider scope "ResourceGroup"
"Subscription"
"Workspace"

RequiredPermissions

Name Description Value
action action permission bool
delete delete permission bool
read read permission bool
write write permission bool

CodelessUiConnectorConfigPropertiesSampleQueriesItem

Name Description Value
description The sample query description string
query the sample query string

CodelessConnectorPollingConfigProperties

Name Description Value
auth Describe the authentication type of the poller CodelessConnectorPollingAuthProperties (required)
isActive The poller active status bool
paging Describe the poll request paging config of the poller CodelessConnectorPollingPagingProperties
request Describe the poll request config parameters of the poller CodelessConnectorPollingRequestProperties (required)
response Describe the response config parameters of the poller CodelessConnectorPollingResponseProperties

CodelessConnectorPollingAuthProperties

Name Description Value
apiKeyIdentifier A prefix send in the header before the actual token string
apiKeyName The header name which the token is sent with string
authorizationEndpoint The endpoint used to authorize the user, used in Oauth 2.0 flow string
authorizationEndpointQueryParameters The query parameters used in authorization request, used in Oauth 2.0 flow
authType The authentication type string (required)
flowName Describes the flow name, for example 'AuthCode' for Oauth 2.0 string
isApiKeyInPostPayload Marks if the key should sent in header string
isClientSecretInHeader Marks if we should send the client secret in header or payload, used in Oauth 2.0 flow bool
redirectionEndpoint The redirect endpoint where we will get the authorization code, used in Oauth 2.0 flow string
scope The OAuth token scope string
tokenEndpoint The endpoint used to issue a token, used in Oauth 2.0 flow string
tokenEndpointHeaders The query headers used in token request, used in Oauth 2.0 flow
tokenEndpointQueryParameters The query parameters used in token request, used in Oauth 2.0 flow

CodelessConnectorPollingPagingProperties

Name Description Value
nextPageParaName Defines the name of a next page attribute string
nextPageTokenJsonPath Defines the path to a next page token JSON string
pageCountAttributePath Defines the path to a page count attribute string
pageSize Defines the paging size int
pageSizeParaName Defines the name of the page size parameter string
pageTimeStampAttributePath Defines the path to a paging time stamp attribute string
pageTotalCountAttributePath Defines the path to a page total count attribute string
pagingType Describes the type. could be 'None', 'PageToken', 'PageCount', 'TimeStamp' string (required)
searchTheLatestTimeStampFromEventsList Determines whether to search for the latest time stamp in the events list string

CodelessConnectorPollingRequestProperties

Name Description Value
apiEndpoint Describe the endpoint we should pull the data from string (required)
endTimeAttributeName This will be used the query events from the end of the time window string
headers Describe the headers sent in the poll request
httpMethod The http method type we will use in the poll request, GET or POST string (required)
queryParameters Describe the query parameters sent in the poll request
queryParametersTemplate For advanced scenarios for example user name/password embedded in nested JSON payload string
queryTimeFormat The time format will be used the query events in a specific window string (required)
queryWindowInMin The window interval we will use the pull the data int (required)
rateLimitQps Defines the rate limit QPS int
retryCount Describe the amount of time we should try and poll the data in case of failure int
startTimeAttributeName This will be used the query events from a start of the time window string
timeoutInSeconds The number of seconds we will consider as a request timeout int

CodelessConnectorPollingResponseProperties

Name Description Value
eventsJsonPaths Describes the path we should extract the data in the response string[] (required)
isGzipCompressed Describes if the data in the response is Gzip bool
successStatusJsonPath Describes the path we should extract the status code in the response string
successStatusValue Describes the path we should extract the status value in the response string

AADDataConnector

Name Description Value
kind The data connector kind "AzureActiveDirectory" (required)
properties AAD (Azure Active Directory) data connector properties. AADDataConnectorProperties

AADDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

AlertsDataTypeOfDataConnector

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)

DataConnectorDataTypeCommon

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

AatpDataConnector

Name Description Value
kind The data connector kind "AzureAdvancedThreatProtection" (required)
properties AATP (Azure Advanced Threat Protection) data connector properties. AatpDataConnectorProperties

AatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

ASCDataConnector

Name Description Value
kind The data connector kind "AzureSecurityCenter" (required)
properties ASC (Azure Security Center) data connector properties. ASCDataConnectorProperties

ASCDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

Dynamics365DataConnector

Name Description Value
kind The data connector kind "Dynamics365" (required)
properties Dynamics365 data connector properties. Dynamics365DataConnectorProperties

Dynamics365DataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Dynamics365DataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

Dynamics365DataConnectorDataTypes

Name Description Value
dynamics365CdsActivities Common Data Service data type connection. Dynamics365DataConnectorDataTypesDynamics365CdsActiv... (required)

Dynamics365DataConnectorDataTypesDynamics365CdsActiv...

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

CodelessUiDataConnector

Name Description Value
kind The data connector kind "GenericUI" (required)
properties Codeless UI data connector properties CodelessParameters

CodelessParameters

Name Description Value
connectorUiConfig Config to describe the instructions blade CodelessUiConnectorConfigProperties

IoTDataConnector

Name Description Value
kind The data connector kind "IOT" (required)
properties IoT data connector properties. IoTDataConnectorProperties

IoTDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
subscriptionId The subscription id to connect to, and get the data from. string

McasDataConnector

Name Description Value
kind The data connector kind "MicrosoftCloudAppSecurity" (required)
properties MCAS (Microsoft Cloud App Security) data connector properties. McasDataConnectorProperties

McasDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. McasDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

McasDataConnectorDataTypes

Name Description Value
alerts Alerts data type connection. DataConnectorDataTypeCommon (required)
discoveryLogs Discovery log data type connection. DataConnectorDataTypeCommon

MdatpDataConnector

Name Description Value
kind The data connector kind "MicrosoftDefenderAdvancedThreatProtection" (required)
properties MDATP (Microsoft Defender Advanced Threat Protection) data connector properties. MdatpDataConnectorProperties

MdatpDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnector

Name Description Value
kind The data connector kind "MicrosoftThreatIntelligence" (required)
properties Microsoft Threat Intelligence data connector properties. MstiDataConnectorProperties

MstiDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MstiDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MstiDataConnectorDataTypes

Name Description Value
bingSafetyPhishingURL Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesBingSafetyPhishingURL (required)
microsoftEmergingThreatFeed Data type for Microsoft Threat Intelligence Platforms data connector. MstiDataConnectorDataTypesMicrosoftEmergingThreatFee... (required)

MstiDataConnectorDataTypesBingSafetyPhishingURL

Name Description Value
lookbackPeriod lookback period string (required)
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

MstiDataConnectorDataTypesMicrosoftEmergingThreatFee...

Name Description Value
lookbackPeriod lookback period string (required)
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

MTPDataConnector

Name Description Value
kind The data connector kind "MicrosoftThreatProtection" (required)
properties MTP (Microsoft Threat Protection) data connector properties. MTPDataConnectorProperties

MTPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. MTPDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

MTPDataConnectorDataTypes

Name Description Value
incidents Data type for Microsoft Threat Protection Platforms data connector. MTPDataConnectorDataTypesIncidents (required)

MTPDataConnectorDataTypesIncidents

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

OfficeDataConnector

Name Description Value
kind The data connector kind "Office365" (required)
properties Office data connector properties. OfficeDataConnectorProperties

OfficeDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficeDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeDataConnectorDataTypes

Name Description Value
exchange Exchange data type connection. OfficeDataConnectorDataTypesExchange (required)
sharePoint SharePoint data type connection. OfficeDataConnectorDataTypesSharePoint (required)
teams Teams data type connection. OfficeDataConnectorDataTypesTeams (required)

OfficeDataConnectorDataTypesExchange

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

OfficeDataConnectorDataTypesSharePoint

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

OfficeDataConnectorDataTypesTeams

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

Office365ProjectDataConnector

Name Description Value
kind The data connector kind "Office365Project" (required)
properties Office Microsoft Project data connector properties. Office365ProjectDataConnectorProperties

Office365ProjectDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. Office365ProjectConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

Office365ProjectConnectorDataTypes

Name Description Value
logs Logs data type. Office365ProjectConnectorDataTypesLogs (required)

Office365ProjectConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

OfficeATPDataConnector

Name Description Value
kind The data connector kind "OfficeATP" (required)
properties OfficeATP (Office 365 Advanced Threat Protection) data connector properties. OfficeATPDataConnectorProperties

OfficeATPDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficeIRMDataConnector

Name Description Value
kind The data connector kind "OfficeIRM" (required)
properties OfficeIRM (Microsoft Insider Risk Management) data connector properties. OfficeIRMDataConnectorProperties

OfficeIRMDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. AlertsDataTypeOfDataConnector
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIDataConnector

Name Description Value
kind The data connector kind "OfficePowerBI" (required)
properties Office Microsoft PowerBI data connector properties. OfficePowerBIDataConnectorProperties

OfficePowerBIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. OfficePowerBIConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)

OfficePowerBIConnectorDataTypes

Name Description Value
logs Logs data type. OfficePowerBIConnectorDataTypesLogs (required)

OfficePowerBIConnectorDataTypesLogs

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

TIDataConnector

Name Description Value
kind The data connector kind "ThreatIntelligence" (required)
properties TI (Threat Intelligence) data connector properties. TIDataConnectorProperties

TIDataConnectorProperties

Name Description Value
dataTypes The available data types for the connector. TIDataConnectorDataTypes (required)
tenantId The tenant id to connect to, and get the data from. string (required)
tipLookbackPeriod The lookback period for the feed to be imported. string

TIDataConnectorDataTypes

Name Description Value
indicators Data type for indicators connection. TIDataConnectorDataTypesIndicators (required)

TIDataConnectorDataTypesIndicators

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)

TiTaxiiDataConnector

Name Description Value
kind The data connector kind "ThreatIntelligenceTaxii" (required)
properties Threat intelligence TAXII data connector properties. TiTaxiiDataConnectorProperties

TiTaxiiDataConnectorProperties

Name Description Value
collectionId The collection id of the TAXII server. string
dataTypes The available data types for Threat Intelligence TAXII data connector. TiTaxiiDataConnectorDataTypes (required)
friendlyName The friendly name for the TAXII server. string
password The password for the TAXII server. string
pollingFrequency The polling frequency for the TAXII server. "OnceADay"
"OnceAMinute"
"OnceAnHour" (required)
taxiiLookbackPeriod The lookback period for the TAXII server. string
taxiiServer The API root for the TAXII server. string
tenantId The tenant id to connect to, and get the data from. string (required)
userName The userName for the TAXII server. string
workspaceId The workspace id. string

TiTaxiiDataConnectorDataTypes

Name Description Value
taxiiClient Data type for TAXII connector. TiTaxiiDataConnectorDataTypesTaxiiClient (required)

TiTaxiiDataConnectorDataTypesTaxiiClient

Name Description Value
state Describe whether this data type connection is enabled or not. "Disabled"
"Enabled" (required)