The azure-native:securityinsights:MCASDataConnector resource, part of the Pulumi Azure Native provider, registers a Microsoft Cloud App Security data connector within a Sentinel workspace. This guide focuses on one capability: connecting MCAS to Sentinel for threat detection.
The connector requires an existing Sentinel workspace, resource group, and active MCAS license. The example is intentionally minimal. Extend it with data type filtering and alert rules for complete threat detection workflows.
Connect Microsoft Cloud App Security to Sentinel
Security teams integrate Microsoft Cloud App Security with Sentinel to centralize cloud application threat detection and investigation.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const mcasDataConnector = new azure_native.securityinsights.MCASDataConnector("mcasDataConnector", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
mcas_data_connector = azure_native.securityinsights.MCASDataConnector("mcasDataConnector",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewMCASDataConnector(ctx, "mcasDataConnector", &securityinsights.MCASDataConnectorArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var mcasDataConnector = new AzureNative.SecurityInsights.MCASDataConnector("mcasDataConnector", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MCASDataConnector;
import com.pulumi.azurenative.securityinsights.MCASDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var mcasDataConnector = new MCASDataConnector("mcasDataConnector", MCASDataConnectorArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
mcasDataConnector:
type: azure-native:securityinsights:MCASDataConnector
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The dataConnectorId uniquely identifies this connector instance within the workspace. The resourceGroupName and workspaceName properties associate the connector with your Sentinel deployment. Once registered, MCAS alerts and discovery logs flow into the workspace for correlation with other security data sources.
Beyond these examples
This snippet focuses on MCAS data connector registration. It’s intentionally minimal rather than a complete threat detection solution.
The example requires pre-existing infrastructure such as a Sentinel workspace and resource group, and an active Microsoft Cloud App Security subscription. It covers connector registration without configuring downstream analytics.
To keep things focused, common connector patterns are omitted, including:
- Data type filtering (dataTypes property)
- Tenant ID specification for multi-tenant scenarios
- Connector state management and monitoring
- Alert rule configuration for ingested data
These omissions are intentional: the goal is to illustrate how the MCAS connector is wired, not provide a drop-in security module. See the MCAS Data Connector resource reference for all available configuration options.
Let's configure Azure Microsoft Cloud App Security Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
dataConnectorId, resourceGroupName, and workspaceName. The kind property is also required and must be set to MicrosoftCloudAppSecurity.kind is required and must be set to the exact value MicrosoftCloudAppSecurity.tenantId property to specify the tenant id to connect to and retrieve data from.Resource Management
dataConnectorId, resourceGroupName, and workspaceName. Plan these values carefully during initial creation.MCASDataConnector is used for various Microsoft security services (Threat Intelligence, Office365, Defender for Threat Intelligence), but the resource configuration remains the same across these use cases.