Configure Azure Advanced Threat Protection Data Connectors

The azure-native:securityinsights:AATPDataConnector resource, part of the Pulumi Azure Native provider, registers an Azure Advanced Threat Protection data connector within a Microsoft Sentinel workspace. This guide focuses on one capability: connecting AATP to Sentinel workspaces.

Data connectors link threat detection sources to Sentinel. AATP must already be deployed and generating alerts. The example is intentionally minimal. Extend it with tenant ID specification and data type filtering for production deployments.

Connect Azure Advanced Threat Protection to Sentinel

Security teams integrate AATP with Sentinel to centralize identity-based threat detection and investigation.

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const aatpDataConnector = new azure_native.securityinsights.AATPDataConnector("aatpDataConnector", {
    dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
    resourceGroupName: "myRg",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

aatp_data_connector = azure_native.securityinsights.AATPDataConnector("aatpDataConnector",
    data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
    resource_group_name="myRg",
    workspace_name="myWorkspace")

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewAATPDataConnector(ctx, "aatpDataConnector", &securityinsights.AATPDataConnectorArgs{
			DataConnectorId:   pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
			ResourceGroupName: pulumi.String("myRg"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var aatpDataConnector = new AzureNative.SecurityInsights.AATPDataConnector("aatpDataConnector", new()
    {
        DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
        ResourceGroupName = "myRg",
        WorkspaceName = "myWorkspace",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.AATPDataConnector;
import com.pulumi.azurenative.securityinsights.AATPDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var aatpDataConnector = new AATPDataConnector("aatpDataConnector", AATPDataConnectorArgs.builder()
            .dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
            .resourceGroupName("myRg")
            .workspaceName("myWorkspace")
            .build());

    }
}

resources:
  aatpDataConnector:
    type: azure-native:securityinsights:AATPDataConnector
    properties:
      dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
      resourceGroupName: myRg
      workspaceName: myWorkspace

When you create the connector, Sentinel begins ingesting AATP alerts and detections into the specified workspace. The dataConnectorId uniquely identifies this connector instance. The resourceGroupName and workspaceName target the Sentinel workspace where alerts will appear. Without additional configuration, the connector uses default tenant and data type settings.

Beyond these examples

This snippet focuses on data connector registration. It’s intentionally minimal rather than a full security monitoring deployment.

The example references pre-existing infrastructure such as a Microsoft Sentinel workspace and an Azure Advanced Threat Protection deployment. It focuses on connector configuration rather than provisioning the underlying security services.

To keep things focused, common connector patterns are omitted, including:

Tenant ID specification (tenantId)
Data type filtering (dataTypes)
Connector state management (etag)

These omissions are intentional: the goal is to illustrate how the data connector is wired, not provide a drop-in security module. See the AATPDataConnector resource reference for all available configuration options.

Let's configure Azure Advanced Threat Protection Data Connectors

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Configuration & Setup

What are the minimum required properties to create an AATP data connector?

You need dataConnectorId, resourceGroupName, workspaceName, and kind (which must be set to AzureAdvancedThreatProtection).

What value should I use for the kind property?

The kind property must be set to AzureAdvancedThreatProtection for AATP data connectors.

Resource Lifecycle

What properties can't I change after creating the connector?

The dataConnectorId, resourceGroupName, and workspaceName properties are immutable. Changing any of these requires replacing the resource.

What changed in the Azure API version for this resource?

The resource now uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01.

Optional Configuration

Do I need to specify a tenant ID?

No, tenantId is optional. If specified, it determines which tenant to connect to and retrieve data from.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides GCP Guides