The azure-native:securityinsights:AATPDataConnector resource, part of the Pulumi Azure Native provider, registers an Azure Advanced Threat Protection data connector within a Microsoft Sentinel workspace. This guide focuses on one capability: connecting AATP to Sentinel workspaces.
Data connectors require an existing Sentinel workspace, resource group, and an active AATP deployment in the tenant. The example is intentionally minimal. Combine it with your own workspace configuration and alert routing logic.
Connect Azure Advanced Threat Protection to Sentinel
Security teams integrate Azure Advanced Threat Protection with Microsoft Sentinel to centralize identity-based threat detection and investigation workflows.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const aatpDataConnector = new azure_native.securityinsights.AATPDataConnector("aatpDataConnector", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
aatp_data_connector = azure_native.securityinsights.AATPDataConnector("aatpDataConnector",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewAATPDataConnector(ctx, "aatpDataConnector", &securityinsights.AATPDataConnectorArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var aatpDataConnector = new AzureNative.SecurityInsights.AATPDataConnector("aatpDataConnector", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.AATPDataConnector;
import com.pulumi.azurenative.securityinsights.AATPDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var aatpDataConnector = new AATPDataConnector("aatpDataConnector", AATPDataConnectorArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
aatpDataConnector:
type: azure-native:securityinsights:AATPDataConnector
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The connector streams AATP alerts and detections into your Sentinel workspace. The dataConnectorId provides a unique identifier for this connector instance. The workspaceName and resourceGroupName bind the connector to a specific Sentinel deployment. The tenantId property (required but not shown in this minimal example) specifies which Azure AD tenant’s AATP data to ingest.
Beyond these examples
This snippet focuses on data connector registration. It’s intentionally minimal rather than a full security monitoring deployment.
The example references pre-existing infrastructure such as a Microsoft Sentinel workspace, Azure resource group, and Azure Advanced Threat Protection deployment. It focuses on connector configuration rather than provisioning the underlying security infrastructure.
To keep things focused, common connector patterns are omitted, including:
- Data type filtering (dataTypes property)
- Connector state management and monitoring
- Multi-tenant connector configuration
- Custom alert routing and filtering
These omissions are intentional: the goal is to illustrate how the data connector is wired, not provide a drop-in security module. See the AATPDataConnector resource reference for all available configuration options.
Let's configure Azure Advanced Threat Protection Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
kind (set to ‘AzureAdvancedThreatProtection’), tenantId (the tenant to connect to), dataConnectorId, resourceGroupName, and workspaceName.tenantId despite it being required. Make sure to include tenantId in your configuration even though it’s missing from the provided examples.kind to ‘AzureAdvancedThreatProtection’ (this is the only valid value for this connector type).Resource Management
dataConnectorId, resourceGroupName, and workspaceName properties are immutable and cannot be modified after creation./subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}.