Data Connectors - Create Or Update
Creates or updates the data connector.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}?api-version=2024-09-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
data
|
path | True |
string |
Connector ID |
|
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
|
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
|
api-version
|
query | True |
string |
The API version to use for this operation. |
Request Body
The request body can be one of the following:
| Name | Description |
|---|---|
|
AADData |
Represents AAD (Azure Active Directory) data connector. |
|
AATPData |
Represents AATP (Azure Advanced Threat Protection) data connector. |
|
ASCData |
Represents ASC (Azure Security Center) data connector. |
|
Aws |
Represents Amazon Web Services CloudTrail data connector. |
|
MCASData |
Represents MCAS (Microsoft Cloud App Security) data connector. |
|
MDATPData |
Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. |
|
MSTIData |
Represents Microsoft Threat Intelligence data connector. |
|
Office |
Represents office data connector. |
|
Premium |
Represents Premium Microsoft Defender for Threat Intelligence data connector. |
|
Rest |
Represents Rest Api Poller data connector. |
|
TIData |
Represents threat intelligence data connector. |
AADDataConnector
Represents AAD (Azure Active Directory) data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Azure |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
AATPDataConnector
Represents AATP (Azure Advanced Threat Protection) data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Azure |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
ASCDataConnector
Represents ASC (Azure Security Center) data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Azure |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.subscriptionId |
string |
The subscription id to connect to, and get the data from. |
AwsCloudTrailDataConnector
Represents Amazon Web Services CloudTrail data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Amazon |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.awsRoleArn |
string |
The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. |
|
| properties.dataTypes |
The available data types for the connector. |
MCASDataConnector
Represents MCAS (Microsoft Cloud App Security) data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Microsoft |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
MDATPDataConnector
Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Microsoft |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
MSTIDataConnector
Represents Microsoft Threat Intelligence data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Microsoft |
The data connector kind |
| properties.dataTypes | True |
The available data types for the connector. |
|
| etag |
string |
Etag of the azure resource |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
OfficeDataConnector
Represents office data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Office365 |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
PremiumMicrosoftDefenderForThreatIntelligence
Represents Premium Microsoft Defender for Threat Intelligence data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True | string: |
The data connector kind |
| properties.dataTypes | True |
The available data types for the connector. |
|
| properties.lookbackPeriod | True |
string |
The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. |
| etag |
string |
Etag of the azure resource |
|
| properties.requiredSKUsPresent |
boolean |
The flag to indicate whether the tenant has the premium SKU required to access this connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
RestApiPollerDataConnector
Represents Rest Api Poller data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Rest |
The data connector kind |
| properties.auth | True | CcpAuthConfig: |
The a authentication model. |
| properties.connectorDefinitionName | True |
string |
The connector definition name (the dataConnectorDefinition resource id). |
| properties.request | True |
The request configuration. |
|
| etag |
string |
Etag of the azure resource |
|
| properties.addOnAttributes |
object |
The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. |
|
| properties.dataType |
string |
The Log Analytics table destination. |
|
| properties.dcrConfig |
The DCR related properties. |
||
| properties.isActive |
boolean |
Indicates whether the connector is active or not. |
|
| properties.paging |
The paging configuration. |
||
| properties.response |
The response configuration. |
TIDataConnector
Represents threat intelligence data connector.
| Name | Required | Type | Description |
|---|---|---|---|
| kind | True |
string:
Threat |
The data connector kind |
| etag |
string |
Etag of the azure resource |
|
| properties.dataTypes |
The available data types for the connector. |
||
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
|
| properties.tipLookbackPeriod |
string |
The lookback period for the feed to be imported. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK | DataConnector: |
OK, Operation successfully completed |
| 201 Created | DataConnector: |
Created |
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Creates or updates a MicrosoftThreatIntelligence data connector.
Sample request
PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04?api-version=2024-09-01
{
"kind": "MicrosoftThreatIntelligence",
"properties": {
"tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"dataTypes": {
"microsoftEmergingThreatFeed": {
"state": "Enabled",
"lookbackPeriod": "2024-11-01T00:00:00Z"
}
}
}
}
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
"name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
"type": "Microsoft.SecurityInsights/dataConnectors",
"etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0",
"kind": "MicrosoftThreatIntelligence",
"properties": {
"tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"dataTypes": {
"microsoftEmergingThreatFeed": {
"state": "Enabled",
"lookbackPeriod": "2024-11-01T00:00:00Z"
}
}
}
}{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/c345bf40-8509-4ed2-b947-50cb773aaf04",
"name": "c345bf40-8509-4ed2-b947-50cb773aaf04",
"type": "Microsoft.SecurityInsights/dataConnectors",
"etag": "d12423f6-a60b-4ca5-88c0-feb1a182d0f0",
"kind": "MicrosoftThreatIntelligence",
"properties": {
"tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"dataTypes": {
"microsoftEmergingThreatFeed": {
"state": "Enabled",
"lookbackPeriod": "2024-11-01T00:00:00Z"
}
}
}
}Creates or updates a PremiumMicrosoftDefenderForThreatIntelligence data connector.
Sample request
PUT https://management.azure.com/subscriptions/b66e5c69-e2eb-422a-81c3-002de57059f3/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/8c569548-a86c-4fb4-8ae4-d1e35a6146f8?api-version=2024-09-01
{
"kind": "PremiumMicrosoftDefenderForThreatIntelligence",
"properties": {
"tenantId": "e4afb3c4-813b-4e68-b6de-e5360866e798",
"lookbackPeriod": "1970-01-01T00:00:00.000Z",
"dataTypes": {
"connector": {
"state": "Enabled"
}
}
}
}
Sample response
{
"id": "/subscriptions/b66e5c69-e2eb-422a-81c3-002de57059f3/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3deede2e-c6d1-4ee6-afc8-e0190ac34200",
"name": "3deede2e-c6d1-4ee6-afc8-e0190ac34200",
"etag": "56003401-0000-0100-0000-67314b0b0000",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "PremiumMicrosoftDefenderForThreatIntelligence",
"properties": {
"lookbackPeriod": "2024-11-01T00:00:00Z",
"requiredSKUsPresent": true,
"dataTypes": {
"connector": {
"state": "Enabled"
}
},
"tenantId": "e4afb3c4-813b-4e68-b6de-e5360866e798"
}
}{
"id": "/subscriptions/b66e5c69-e2eb-422a-81c3-002de57059f3/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/3deede2e-c6d1-4ee6-afc8-e0190ac34200",
"name": "3deede2e-c6d1-4ee6-afc8-e0190ac34200",
"etag": "56003401-0000-0100-0000-67314b0b0000",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "PremiumMicrosoftDefenderForThreatIntelligence",
"properties": {
"lookbackPeriod": "2024-11-01T00:00:00Z",
"requiredSKUsPresent": true,
"dataTypes": {
"connector": {
"state": "Enabled"
}
},
"tenantId": "e4afb3c4-813b-4e68-b6de-e5360866e798"
}
}Creates or updates an Office365 data connector.
Sample request
PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2024-09-01
{
"kind": "Office365",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"sharePoint": {
"state": "Enabled"
},
"exchange": {
"state": "Enabled"
},
"teams": {
"state": "Enabled"
}
}
}
}
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "Office365",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"sharePoint": {
"state": "Enabled"
},
"exchange": {
"state": "Enabled"
},
"teams": {
"state": "Enabled"
}
}
}
}{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "Office365",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "2070ecc9-b4d5-4ae4-adaa-936fa1954fa8",
"dataTypes": {
"sharePoint": {
"state": "Enabled"
},
"exchange": {
"state": "Enabled"
},
"teams": {
"state": "Enabled"
}
}
}
}Creates or updates an Threat Intelligence Platform data connector.
Sample request
PUT https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5?api-version=2024-09-01
{
"kind": "ThreatIntelligence",
"properties": {
"tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"tipLookbackPeriod": "2020-01-01T13:00:30.123Z",
"dataTypes": {
"indicators": {
"state": "Enabled"
}
}
}
}
Sample response
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "ThreatIntelligence",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"tipLookbackPeriod": "2020-01-01T13:00:30.123Z",
"dataTypes": {
"indicators": {
"state": "Enabled"
}
}
}
}{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/dataConnectors/73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"name": "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
"type": "Microsoft.SecurityInsights/dataConnectors",
"kind": "ThreatIntelligence",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"tenantId": "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
"tipLookbackPeriod": "2020-01-01T13:00:30.123Z",
"dataTypes": {
"indicators": {
"state": "Enabled"
}
}
}
}Definitions
| Name | Description |
|---|---|
|
AADData |
Represents AAD (Azure Active Directory) data connector. |
|
AATPData |
Represents AATP (Azure Advanced Threat Protection) data connector. |
|
Alerts |
Alerts data type for data connectors. |
|
Api |
Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header. |
|
ASCData |
Represents ASC (Azure Security Center) data connector. |
|
AWSAuth |
Model for API authentication with AWS. |
|
Aws |
Represents Amazon Web Services CloudTrail data connector. |
|
Aws |
The available data types for Amazon Web Services CloudTrail data connector. |
|
Basic |
Model for API authentication with basic flow - user name + password. |
|
Ccp |
Type of paging |
|
Ccp |
A custom response configuration for a rule. |
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
| Connector |
Data type for Premium Microsoft Defender for Threat Intelligence data connector. |
|
created |
The type of identity that created the resource. |
|
Data |
Common field for data type in data connectors. |
|
Data |
The kind of the data connector |
|
Data |
Describe whether this data type connection is enabled or not. |
| DCRConfiguration |
The configuration of the destination of the data. |
| Exchange |
Exchange data type connection. |
|
GCPAuth |
Model for API authentication for all GCP kind connectors. |
|
Generic |
Model for API authentication for working with service bus or storage account. |
|
Git |
Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens. |
|
http |
The HTTP method, default value GET. |
| Indicators |
Data type for indicators connection. |
|
Jwt |
Model for API authentication with JWT. Simple exchange between user name + password to access token. |
| Logs |
Logs data type. |
|
MCASData |
Represents MCAS (Microsoft Cloud App Security) data connector. |
|
MCASData |
The available data types for MCAS (Microsoft Cloud App Security) data connector. |
|
MDATPData |
Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector. |
|
Microsoft |
Data type for Microsoft Threat Intelligence data connector. |
|
MSTIData |
Represents Microsoft Threat Intelligence data connector. |
|
MSTIData |
The available data types for Microsoft Threat Intelligence data connector. |
|
None |
Model for API authentication with no authentication method - public API. |
|
OAuth |
Model for API authentication with OAuth2. |
|
Office |
Represents office data connector. |
|
Office |
The available data types for office data connector. |
|
Oracle |
Model for API authentication for Oracle. |
|
Premium |
The available data types for Premium Microsoft Defender for Threat Intelligence data connector. |
|
Premium |
Represents Premium Microsoft Defender for Threat Intelligence data connector. |
|
Rest |
Represents Rest Api Poller data connector. |
|
Rest |
The request configuration. |
|
Rest |
The request paging configuration. |
|
Rest |
Type of paging |
|
Session |
Model for API authentication with session cookie. |
|
Share |
SharePoint data type connection. |
|
system |
Metadata pertaining to creation and last modification of the resource. |
| Teams |
Teams data type connection. |
|
TIData |
Represents threat intelligence data connector. |
|
TIData |
The available data types for TI (Threat Intelligence) data connector. |
AADDataConnector
Represents AAD (Azure Active Directory) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Azure |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AATPDataConnector
Represents AATP (Azure Advanced Threat Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Azure |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AlertsDataTypeOfDataConnector
Alerts data type for data connectors.
| Name | Type | Description |
|---|---|---|
| alerts |
Alerts data type connection. |
ApiKeyAuthModel
Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header.
| Name | Type | Description |
|---|---|---|
| apiKey |
string |
API Key for the user secret key credential |
| apiKeyIdentifier |
string |
API Key Identifier |
| apiKeyName |
string |
API Key name |
| isApiKeyInPostPayload |
boolean |
Flag to indicate if API key is set in HTTP POST payload |
| type |
string:
APIKey |
The auth type |
ASCDataConnector
Represents ASC (Azure Security Center) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Azure |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.subscriptionId |
string |
The subscription id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AWSAuthModel
Model for API authentication with AWS.
| Name | Type | Description |
|---|---|---|
| externalId |
string |
AWS STS assume role external ID. This is used to prevent the confused deputy problem: 'https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html' |
| roleArn |
string |
AWS STS assume role ARN |
| type |
string:
AWS |
The auth type |
AwsCloudTrailDataConnector
Represents Amazon Web Services CloudTrail data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Amazon |
The data connector kind |
| name |
string |
The name of the resource |
| properties.awsRoleArn |
string |
The Aws Role Arn (with CloudTrailReadOnly policy) that is used to access the Aws account. |
| properties.dataTypes |
The available data types for the connector. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AwsCloudTrailDataConnectorDataTypes
The available data types for Amazon Web Services CloudTrail data connector.
| Name | Type | Description |
|---|---|---|
| logs |
Logs data type. |
BasicAuthModel
Model for API authentication with basic flow - user name + password.
| Name | Type | Description |
|---|---|---|
| password |
string |
The password |
| type |
string:
Basic |
The auth type |
| userName |
string |
The user name. |
CcpAuthType
Type of paging
| Name | Type | Description |
|---|---|---|
| APIKey |
string |
|
| AWS |
string |
|
| Basic |
string |
|
| GCP |
string |
|
| GitHub |
string |
|
| JwtToken |
string |
|
| None |
string |
|
| OAuth2 |
string |
|
| Oracle |
string |
|
| ServiceBus |
string |
|
| Session |
string |
CcpResponseConfig
A custom response configuration for a rule.
| Name | Type | Default value | Description |
|---|---|---|---|
| compressionAlgo |
string |
gzip |
The compression algorithm. For Example: 'gzip', 'multi-gzip', 'deflate'. |
| convertChildPropertiesToArray |
boolean |
The value indicating whether the response isn't an array of events / logs. By setting this flag to true it means the remote server will response with an object which each property has as a value an array of events / logs. |
|
| csvDelimiter |
string |
The csv delimiter, in case the response format is CSV. |
|
| csvEscape |
string |
" |
The character used to escape characters in CSV. |
| eventsJsonPaths |
string[] |
The json paths, '$' char is the json root. |
|
| format |
string |
json |
The response format. possible values are json,csv,xml |
| hasCsvBoundary |
boolean |
The value indicating whether the response has CSV boundary in case the response in CSV format. |
|
| hasCsvHeader |
boolean |
The value indicating whether the response has headers in case the response in CSV format. |
|
| isGzipCompressed |
boolean |
The value indicating whether the remote server support Gzip and we should expect Gzip response. |
|
| successStatusJsonPath |
string |
The value where the status message/code should appear in the response. |
|
| successStatusValue |
string |
The status value. |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
Connector
Data type for Premium Microsoft Defender for Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
createdByType
The type of identity that created the resource.
| Name | Type | Description |
|---|---|---|
| Application |
string |
|
| Key |
string |
|
| ManagedIdentity |
string |
|
| User |
string |
DataConnectorDataTypeCommon
Common field for data type in data connectors.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
DataConnectorKind
The kind of the data connector
| Name | Type | Description |
|---|---|---|
| AmazonWebServicesCloudTrail |
string |
|
| AzureActiveDirectory |
string |
|
| AzureAdvancedThreatProtection |
string |
|
| AzureSecurityCenter |
string |
|
| MicrosoftCloudAppSecurity |
string |
|
| MicrosoftDefenderAdvancedThreatProtection |
string |
|
| MicrosoftThreatIntelligence |
string |
|
| Office365 |
string |
|
| PremiumMicrosoftDefenderForThreatIntelligence |
string |
|
| RestApiPoller |
string |
|
| ThreatIntelligence |
string |
DataTypeState
Describe whether this data type connection is enabled or not.
| Name | Type | Description |
|---|---|---|
| Disabled |
string |
|
| Enabled |
string |
DCRConfiguration
The configuration of the destination of the data.
| Name | Type | Description |
|---|---|---|
| dataCollectionEndpoint |
string |
Represents the data collection ingestion endpoint in log analytics. |
| dataCollectionRuleImmutableId |
string |
The data collection rule immutable id, the rule defines the transformation and data destination. |
| streamName |
string |
The stream we are sending the data to. |
Exchange
Exchange data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
GCPAuthModel
Model for API authentication for all GCP kind connectors.
| Name | Type | Description |
|---|---|---|
| projectNumber |
string |
GCP Project Number |
| serviceAccountEmail |
string |
GCP Service Account Email |
| type |
string:
GCP |
The auth type |
| workloadIdentityProviderId |
string |
GCP Workload Identity Provider ID |
GenericBlobSbsAuthModel
Model for API authentication for working with service bus or storage account.
| Name | Type | Description |
|---|---|---|
| credentialsConfig |
object |
Credentials for service bus namespace, keyvault uri for access key |
| storageAccountCredentialsConfig |
object |
Credentials for storage account, keyvault uri for access key |
| type |
string:
Service |
The auth type |
GitHubAuthModel
Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens.
| Name | Type | Description |
|---|---|---|
| installationId |
string |
The GitHubApp auth installation id. |
| type |
string:
Git |
The auth type |
httpMethodVerb
The HTTP method, default value GET.
| Name | Type | Description |
|---|---|---|
| DELETE |
string |
|
| GET |
string |
|
| POST |
string |
|
| PUT |
string |
Indicators
Data type for indicators connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
JwtAuthModel
Model for API authentication with JWT. Simple exchange between user name + password to access token.
| Name | Type | Default value | Description |
|---|---|---|---|
| headers |
object |
The custom headers we want to add once we send request to token endpoint. |
|
| isCredentialsInHeaders |
boolean |
Flag indicating whether we want to send the user name and password to token endpoint in the headers. |
|
| isJsonRequest |
boolean |
False |
Flag indicating whether the body request is JSON (header Content-Type = application/json), meaning its a Form URL encoded request (header Content-Type = application/x-www-form-urlencoded). |
| password |
object |
The password |
|
| queryParameters |
object |
The custom query parameter we want to add once we send request to token endpoint. |
|
| requestTimeoutInSeconds |
integer |
100 |
Request timeout in seconds. |
| tokenEndpoint |
string |
Token endpoint to request JWT |
|
| type |
string:
Jwt |
The auth type |
|
| userName |
object |
The user name. If user name and password sent in header request we only need to populate the |
Logs
Logs data type.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
MCASDataConnector
Represents MCAS (Microsoft Cloud App Security) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MCASDataConnectorDataTypes
The available data types for MCAS (Microsoft Cloud App Security) data connector.
| Name | Type | Description |
|---|---|---|
| alerts |
Alerts data type connection. |
|
| discoveryLogs |
Discovery log data type connection. |
MDATPDataConnector
Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MicrosoftEmergingThreatFeed
Data type for Microsoft Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| lookbackPeriod |
string |
The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. |
| state |
Describe whether this data type connection is enabled or not. |
MSTIDataConnector
Represents Microsoft Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Microsoft |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MSTIDataConnectorDataTypes
The available data types for Microsoft Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| microsoftEmergingThreatFeed |
Data type for Microsoft Threat Intelligence data connector. |
NoneAuthModel
Model for API authentication with no authentication method - public API.
| Name | Type | Description |
|---|---|---|
| type |
string:
None |
The auth type |
OAuthModel
Model for API authentication with OAuth2.
| Name | Type | Default value | Description |
|---|---|---|---|
| accessTokenPrepend |
string |
Access token prepend. Default is 'Bearer'. |
|
| authorizationCode |
string |
The user's authorization code. |
|
| authorizationEndpoint |
string |
The authorization endpoint. |
|
| authorizationEndpointHeaders |
object |
The authorization endpoint headers. |
|
| authorizationEndpointQueryParameters |
object |
The authorization endpoint query parameters. |
|
| clientId |
string |
The Application (client) ID that the OAuth provider assigned to your app. |
|
| clientSecret |
string |
The Application (client) secret that the OAuth provider assigned to your app. |
|
| grantType |
string |
The grant type, usually will be 'authorization code'. |
|
| isCredentialsInHeaders |
boolean |
False |
Indicating whether we want to send the clientId and clientSecret to token endpoint in the headers. |
| isJwtBearerFlow |
boolean |
A value indicating whether it's a JWT flow. |
|
| redirectUri |
string |
The Application redirect url that the user config in the OAuth provider. |
|
| scope |
string |
The Application (client) Scope that the OAuth provider assigned to your app. |
|
| tokenEndpoint |
string |
The token endpoint. Defines the OAuth2 refresh token. |
|
| tokenEndpointHeaders |
object |
The token endpoint headers. |
|
| tokenEndpointQueryParameters |
object |
The token endpoint query parameters. |
|
| type |
string:
OAuth2 |
The auth type |
OfficeDataConnector
Represents office data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Office365 |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OfficeDataConnectorDataTypes
The available data types for office data connector.
| Name | Type | Description |
|---|---|---|
| exchange |
Exchange data type connection. |
|
| sharePoint |
SharePoint data type connection. |
|
| teams |
Teams data type connection. |
OracleAuthModel
Model for API authentication for Oracle.
| Name | Type | Description |
|---|---|---|
| pemFile |
string |
Content of the PRM file |
| publicFingerprint |
string |
Public Fingerprint |
| tenantId |
string |
Oracle tenant ID |
| type |
string:
Oracle |
The auth type |
| userId |
string |
Oracle user ID |
PremiumMdtiDataConnectorDataTypes
The available data types for Premium Microsoft Defender for Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| connector |
Data type for Premium Microsoft Defender for Threat Intelligence data connector. |
PremiumMicrosoftDefenderForThreatIntelligence
Represents Premium Microsoft Defender for Threat Intelligence data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind | string: |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.lookbackPeriod |
string |
The lookback period for the feed to be imported. The date-time to begin importing the feed from, for example: 2024-01-01T00:00:00.000Z. |
| properties.requiredSKUsPresent |
boolean |
The flag to indicate whether the tenant has the premium SKU required to access this connector. |
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
RestApiPollerDataConnector
Represents Rest Api Poller data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Rest |
The data connector kind |
| name |
string |
The name of the resource |
| properties.addOnAttributes |
object |
The add on attributes. The key name will become attribute name (a column) and the value will become the attribute value in the payload. |
| properties.auth | CcpAuthConfig: |
The a authentication model. |
| properties.connectorDefinitionName |
string |
The connector definition name (the dataConnectorDefinition resource id). |
| properties.dataType |
string |
The Log Analytics table destination. |
| properties.dcrConfig |
The DCR related properties. |
|
| properties.isActive |
boolean |
Indicates whether the connector is active or not. |
| properties.paging |
The paging configuration. |
|
| properties.request |
The request configuration. |
|
| properties.response |
The response configuration. |
|
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
RestApiPollerRequestConfig
The request configuration.
| Name | Type | Description |
|---|---|---|
| apiEndpoint |
string |
The API endpoint. |
| endTimeAttributeName |
string |
The query parameter name which the remote server expect to end query. This property goes hand to hand with |
| headers |
object |
The header for the request for the remote server. |
| httpMethod |
The HTTP method, default value GET. |
|
| isPostPayloadJson |
boolean |
Flag to indicate if HTTP POST payload is in JSON format (vs form-urlencoded). |
| queryParameters |
|
The HTTP query parameters to RESTful API. |
| queryParametersTemplate |
string |
the query parameters template. Defines the query parameters template to use when passing query parameters in advanced scenarios. |
| queryTimeFormat |
string |
The query time format. A remote server can have a query to pull data from range 'start' to 'end'. This property indicate what is the expected time format the remote server know to parse. |
| queryTimeIntervalAttributeName |
string |
The query parameter name which we need to send the server for query logs in time interval. Should be defined with |
| queryTimeIntervalDelimiter |
string |
The delimiter string between 2 QueryTimeFormat in the query parameter |
| queryTimeIntervalPrepend |
string |
The string prepend to the value of the query parameter in |
| queryWindowInMin |
integer |
The query window in minutes for the request. |
| rateLimitQPS |
integer |
The Rate limit queries per second for the request.. |
| retryCount |
integer |
The retry count. |
| startTimeAttributeName |
string |
The query parameter name which the remote server expect to start query. This property goes hand to hand with |
| timeoutInSeconds |
integer |
The timeout in seconds. |
RestApiPollerRequestPagingConfig
The request paging configuration.
| Name | Type | Description |
|---|---|---|
| pageSize |
integer |
Page size |
| pageSizeParameterName |
string |
Page size parameter name |
| pagingType |
Type of paging |
RestApiPollerRequestPagingKind
Type of paging
| Name | Type | Description |
|---|---|---|
| CountBasedPaging |
string |
|
| LinkHeader |
string |
|
| NextPageToken |
string |
|
| NextPageUrl |
string |
|
| Offset |
string |
|
| PersistentLinkHeader |
string |
|
| PersistentToken |
string |
SessionAuthModel
Model for API authentication with session cookie.
| Name | Type | Description |
|---|---|---|
| headers |
object |
HTTP request headers to session service endpoint. |
| isPostPayloadJson |
boolean |
Indicating whether API key is set in HTTP POST payload. |
| password |
object |
The password attribute name. |
| queryParameters |
|
Query parameters to session service endpoint. |
| sessionIdName |
string |
Session id attribute name from HTTP response header. |
| sessionLoginRequestUri |
string |
HTTP request URL to session service endpoint. |
| sessionTimeoutInMinutes |
integer |
Session timeout in minutes. |
| type |
string:
Session |
The auth type |
| userName |
object |
The user name attribute key value. |
SharePoint
SharePoint data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
Teams
Teams data type connection.
| Name | Type | Description |
|---|---|---|
| state |
Describe whether this data type connection is enabled or not. |
TIDataConnector
Represents threat intelligence data connector.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| kind |
string:
Threat |
The data connector kind |
| name |
string |
The name of the resource |
| properties.dataTypes |
The available data types for the connector. |
|
| properties.tenantId |
string |
The tenant id to connect to, and get the data from. |
| properties.tipLookbackPeriod |
string |
The lookback period for the feed to be imported. |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
TIDataConnectorDataTypes
The available data types for TI (Threat Intelligence) data connector.
| Name | Type | Description |
|---|---|---|
| indicators |
Data type for indicators connection. |