The azure-native:securityinsights:PremiumMicrosoftDefenderForThreatIntelligence resource, part of the Pulumi Azure Native provider, establishes a data connector between Microsoft Sentinel and Premium Microsoft Defender for Threat Intelligence feeds. This guide focuses on two capabilities: workspace connection setup and historical data backfill configuration.
Data connectors link to existing Sentinel workspaces and require the premium SKU for full functionality. The examples are intentionally small. Combine them with your own workspace configuration and access policies.
Connect a workspace with minimal configuration
Security teams often start by establishing the basic connection between their Sentinel workspace and the threat intelligence feed.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const premiumMicrosoftDefenderForThreatIntelligence = new azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
premium_microsoft_defender_for_threat_intelligence = azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewPremiumMicrosoftDefenderForThreatIntelligence(ctx, "premiumMicrosoftDefenderForThreatIntelligence", &securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var premiumMicrosoftDefenderForThreatIntelligence = new AzureNative.SecurityInsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var premiumMicrosoftDefenderForThreatIntelligence = new PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", PremiumMicrosoftDefenderForThreatIntelligenceArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
premiumMicrosoftDefenderForThreatIntelligence:
type: azure-native:securityinsights:PremiumMicrosoftDefenderForThreatIntelligence
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The dataConnectorId uniquely identifies this connector instance within your workspace. The resourceGroupName and workspaceName properties specify where the connector lives. Without additional configuration, the connector uses default settings for data ingestion and begins importing current threat intelligence.
Configure data ingestion with historical lookback
Organizations migrating to Defender for Threat Intelligence or recovering from an outage need to backfill historical data to maintain continuous security coverage.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const premiumMicrosoftDefenderForThreatIntelligence = new azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", {
dataConnectorId: "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
dataTypes: {
connector: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
},
kind: "PremiumMicrosoftDefenderForThreatIntelligence",
lookbackPeriod: "1970-01-01T00:00:00.000Z",
resourceGroupName: "myRg",
tenantId: "e4afb3c4-813b-4e68-b6de-e5360866e798",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
premium_microsoft_defender_for_threat_intelligence = azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence",
data_connector_id="8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
data_types={
"connector": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
},
kind="PremiumMicrosoftDefenderForThreatIntelligence",
lookback_period="1970-01-01T00:00:00.000Z",
resource_group_name="myRg",
tenant_id="e4afb3c4-813b-4e68-b6de-e5360866e798",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewPremiumMicrosoftDefenderForThreatIntelligence(ctx, "premiumMicrosoftDefenderForThreatIntelligence", &securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs{
DataConnectorId: pulumi.String("8c569548-a86c-4fb4-8ae4-d1e35a6146f8"),
DataTypes: &securityinsights.PremiumMdtiDataConnectorDataTypesArgs{
Connector: &securityinsights.PremiumMdtiDataConnectorDataTypesConnectorArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
},
Kind: pulumi.String("PremiumMicrosoftDefenderForThreatIntelligence"),
LookbackPeriod: pulumi.String("1970-01-01T00:00:00.000Z"),
ResourceGroupName: pulumi.String("myRg"),
TenantId: pulumi.String("e4afb3c4-813b-4e68-b6de-e5360866e798"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var premiumMicrosoftDefenderForThreatIntelligence = new AzureNative.SecurityInsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", new()
{
DataConnectorId = "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
DataTypes = new AzureNative.SecurityInsights.Inputs.PremiumMdtiDataConnectorDataTypesArgs
{
Connector = new AzureNative.SecurityInsights.Inputs.PremiumMdtiDataConnectorDataTypesConnectorArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
},
Kind = "PremiumMicrosoftDefenderForThreatIntelligence",
LookbackPeriod = "1970-01-01T00:00:00.000Z",
ResourceGroupName = "myRg",
TenantId = "e4afb3c4-813b-4e68-b6de-e5360866e798",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs;
import com.pulumi.azurenative.securityinsights.inputs.PremiumMdtiDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.PremiumMdtiDataConnectorDataTypesConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var premiumMicrosoftDefenderForThreatIntelligence = new PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", PremiumMicrosoftDefenderForThreatIntelligenceArgs.builder()
.dataConnectorId("8c569548-a86c-4fb4-8ae4-d1e35a6146f8")
.dataTypes(PremiumMdtiDataConnectorDataTypesArgs.builder()
.connector(PremiumMdtiDataConnectorDataTypesConnectorArgs.builder()
.state("Enabled")
.build())
.build())
.kind("PremiumMicrosoftDefenderForThreatIntelligence")
.lookbackPeriod("1970-01-01T00:00:00.000Z")
.resourceGroupName("myRg")
.tenantId("e4afb3c4-813b-4e68-b6de-e5360866e798")
.workspaceName("myWorkspace")
.build());
}
}
resources:
premiumMicrosoftDefenderForThreatIntelligence:
type: azure-native:securityinsights:PremiumMicrosoftDefenderForThreatIntelligence
properties:
dataConnectorId: 8c569548-a86c-4fb4-8ae4-d1e35a6146f8
dataTypes:
connector:
state: Enabled
kind: PremiumMicrosoftDefenderForThreatIntelligence
lookbackPeriod: 1970-01-01T00:00:00.000Z
resourceGroupName: myRg
tenantId: e4afb3c4-813b-4e68-b6de-e5360866e798
workspaceName: myWorkspace
The lookbackPeriod property sets the starting point for historical import, allowing you to ingest threat intelligence from a specific date. The dataTypes block controls which feeds are enabled; setting state to “Enabled” activates the connector feed. The tenantId specifies which Azure AD tenant’s threat intelligence to import, and the kind property must be set to “PremiumMicrosoftDefenderForThreatIntelligence” to use this connector type.
Beyond these examples
These snippets focus on specific connector-level features: workspace connection and identification, and data type enablement and historical backfill. They’re intentionally minimal rather than full security monitoring deployments.
The examples reference pre-existing infrastructure such as Microsoft Sentinel workspace, Azure resource group, and Premium SKU subscription (for full functionality). They focus on configuring the connector rather than provisioning the surrounding security infrastructure.
To keep things focused, common connector patterns are omitted, including:
- SKU validation (requiredSKUsPresent flag)
- Data type state management (enabling/disabling specific feeds)
- Multi-tenant configurations
- Connector lifecycle management (updates, deletions)
These omissions are intentional: the goal is to illustrate how the connector is wired, not provide drop-in security modules. See the PremiumMicrosoftDefenderForThreatIntelligence resource reference for all available configuration options.
Let's configure Azure Microsoft Defender for Threat Intelligence
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
dataConnectorId, resourceGroupName, workspaceName, dataTypes, kind, and lookbackPeriod. The kind property must be set to PremiumMicrosoftDefenderForThreatIntelligence.dataTypes.connector.state to Enabled in your configuration.1970-01-01T00:00:00.000Z or 2024-01-01T00:00:00.000Z.Immutability & Updates
dataConnectorId, resourceGroupName, and workspaceName properties are immutable and require resource recreation to change.