The azure-native:securityinsights:PremiumMicrosoftDefenderForThreatIntelligence resource, part of the Pulumi Azure Native provider, establishes a data connector between Microsoft Sentinel and Microsoft Defender for Threat Intelligence Premium. This guide focuses on two capabilities: workspace connection setup and historical data import configuration.
Data connectors link your Sentinel workspace to threat intelligence feeds and require an existing workspace, resource group, and Azure AD tenant with premium licensing. The examples are intentionally small. Combine them with your own Sentinel workspace configuration and security policies.
Connect a workspace with minimal configuration
Security teams often start by establishing the basic connection between their Sentinel workspace and the threat intelligence feed.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const premiumMicrosoftDefenderForThreatIntelligence = new azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
premium_microsoft_defender_for_threat_intelligence = azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewPremiumMicrosoftDefenderForThreatIntelligence(ctx, "premiumMicrosoftDefenderForThreatIntelligence", &securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var premiumMicrosoftDefenderForThreatIntelligence = new AzureNative.SecurityInsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var premiumMicrosoftDefenderForThreatIntelligence = new PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", PremiumMicrosoftDefenderForThreatIntelligenceArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
premiumMicrosoftDefenderForThreatIntelligence:
type: azure-native:securityinsights:PremiumMicrosoftDefenderForThreatIntelligence
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The dataConnectorId uniquely identifies this connector instance within your workspace. The resourceGroupName and workspaceName properties specify where the connector lives. This minimal configuration establishes the connection but uses default settings for data types and doesn’t configure historical data import.
Configure historical data import with tenant scope
Organizations analyzing historical threat patterns configure the connector to import past threat intelligence data from a specific starting point.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const premiumMicrosoftDefenderForThreatIntelligence = new azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", {
dataConnectorId: "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
dataTypes: {
connector: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
},
kind: "PremiumMicrosoftDefenderForThreatIntelligence",
lookbackPeriod: "1970-01-01T00:00:00.000Z",
resourceGroupName: "myRg",
tenantId: "e4afb3c4-813b-4e68-b6de-e5360866e798",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
premium_microsoft_defender_for_threat_intelligence = azure_native.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence",
data_connector_id="8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
data_types={
"connector": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
},
kind="PremiumMicrosoftDefenderForThreatIntelligence",
lookback_period="1970-01-01T00:00:00.000Z",
resource_group_name="myRg",
tenant_id="e4afb3c4-813b-4e68-b6de-e5360866e798",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewPremiumMicrosoftDefenderForThreatIntelligence(ctx, "premiumMicrosoftDefenderForThreatIntelligence", &securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs{
DataConnectorId: pulumi.String("8c569548-a86c-4fb4-8ae4-d1e35a6146f8"),
DataTypes: &securityinsights.PremiumMdtiDataConnectorDataTypesArgs{
Connector: &securityinsights.PremiumMdtiDataConnectorDataTypesConnectorArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
},
Kind: pulumi.String("PremiumMicrosoftDefenderForThreatIntelligence"),
LookbackPeriod: pulumi.String("1970-01-01T00:00:00.000Z"),
ResourceGroupName: pulumi.String("myRg"),
TenantId: pulumi.String("e4afb3c4-813b-4e68-b6de-e5360866e798"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var premiumMicrosoftDefenderForThreatIntelligence = new AzureNative.SecurityInsights.PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", new()
{
DataConnectorId = "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
DataTypes = new AzureNative.SecurityInsights.Inputs.PremiumMdtiDataConnectorDataTypesArgs
{
Connector = new AzureNative.SecurityInsights.Inputs.PremiumMdtiDataConnectorDataTypesConnectorArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
},
Kind = "PremiumMicrosoftDefenderForThreatIntelligence",
LookbackPeriod = "1970-01-01T00:00:00.000Z",
ResourceGroupName = "myRg",
TenantId = "e4afb3c4-813b-4e68-b6de-e5360866e798",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligence;
import com.pulumi.azurenative.securityinsights.PremiumMicrosoftDefenderForThreatIntelligenceArgs;
import com.pulumi.azurenative.securityinsights.inputs.PremiumMdtiDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.PremiumMdtiDataConnectorDataTypesConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var premiumMicrosoftDefenderForThreatIntelligence = new PremiumMicrosoftDefenderForThreatIntelligence("premiumMicrosoftDefenderForThreatIntelligence", PremiumMicrosoftDefenderForThreatIntelligenceArgs.builder()
.dataConnectorId("8c569548-a86c-4fb4-8ae4-d1e35a6146f8")
.dataTypes(PremiumMdtiDataConnectorDataTypesArgs.builder()
.connector(PremiumMdtiDataConnectorDataTypesConnectorArgs.builder()
.state("Enabled")
.build())
.build())
.kind("PremiumMicrosoftDefenderForThreatIntelligence")
.lookbackPeriod("1970-01-01T00:00:00.000Z")
.resourceGroupName("myRg")
.tenantId("e4afb3c4-813b-4e68-b6de-e5360866e798")
.workspaceName("myWorkspace")
.build());
}
}
resources:
premiumMicrosoftDefenderForThreatIntelligence:
type: azure-native:securityinsights:PremiumMicrosoftDefenderForThreatIntelligence
properties:
dataConnectorId: 8c569548-a86c-4fb4-8ae4-d1e35a6146f8
dataTypes:
connector:
state: Enabled
kind: PremiumMicrosoftDefenderForThreatIntelligence
lookbackPeriod: 1970-01-01T00:00:00.000Z
resourceGroupName: myRg
tenantId: e4afb3c4-813b-4e68-b6de-e5360866e798
workspaceName: myWorkspace
The lookbackPeriod property sets the date from which to begin importing threat intelligence data, allowing you to analyze historical patterns. The tenantId specifies which Azure AD tenant’s data to collect. The dataTypes block with connector state set to Enabled activates the feed. The kind property must be set to “PremiumMicrosoftDefenderForThreatIntelligence” to identify this connector type.
Beyond these examples
These snippets focus on specific connector-level features: workspace connection and identification, historical data import configuration, and tenant-scoped data collection. They’re intentionally minimal rather than full security operations deployments.
The examples reference pre-existing infrastructure such as Microsoft Sentinel workspace, Azure resource group, and Azure AD tenant with premium SKU. They focus on configuring the connector rather than provisioning the surrounding security infrastructure.
To keep things focused, common connector patterns are omitted, including:
- SKU validation (requiredSKUsPresent flag)
- Data type state management beyond basic enablement
- Connector lifecycle operations (updates, deletions)
- Integration with other Sentinel data connectors
These omissions are intentional: the goal is to illustrate how the connector is wired, not provide drop-in security modules. See the PremiumMicrosoftDefenderForThreatIntelligence resource reference for all available configuration options.
Let's configure Azure Microsoft Defender for Threat Intelligence
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
dataTypes, kind (set to ‘PremiumMicrosoftDefenderForThreatIntelligence’), lookbackPeriod, and tenantId.dataTypes.connector.state to Enabled in your configuration.1970-01-01T00:00:00.000Z. This specifies when to begin importing the threat intelligence feed.Immutability & Constraints
dataConnectorId, resourceGroupName, and workspaceName properties are immutable and cannot be modified after the resource is created.