The azure-native:securityinsights:MDATPDataConnector resource, part of the Pulumi Azure Native provider, registers a Microsoft Defender for Endpoint data connector within a Sentinel workspace. This guide focuses on one capability: connecting Defender for Endpoint to Sentinel.
Data connectors link security data sources to Sentinel workspaces. The example is intentionally minimal. Combine it with your own workspace configuration, data retention policies, and analytics rules.
Connect Microsoft Defender for Endpoint to Sentinel
Security teams integrate Microsoft Defender for Endpoint with Sentinel to centralize endpoint alerts alongside other security telemetry.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const mdatpDataConnector = new azure_native.securityinsights.MDATPDataConnector("mdatpDataConnector", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
mdatp_data_connector = azure_native.securityinsights.MDATPDataConnector("mdatpDataConnector",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewMDATPDataConnector(ctx, "mdatpDataConnector", &securityinsights.MDATPDataConnectorArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var mdatpDataConnector = new AzureNative.SecurityInsights.MDATPDataConnector("mdatpDataConnector", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MDATPDataConnector;
import com.pulumi.azurenative.securityinsights.MDATPDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var mdatpDataConnector = new MDATPDataConnector("mdatpDataConnector", MDATPDataConnectorArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
mdatpDataConnector:
type: azure-native:securityinsights:MDATPDataConnector
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The connector streams Defender for Endpoint alerts into your Sentinel workspace. The dataConnectorId uniquely identifies this connector instance, while resourceGroupName and workspaceName specify where the connector lives. Once registered, Defender alerts flow automatically into Sentinel’s SecurityAlert table.
Beyond these examples
This snippet focuses on data connector registration. It’s intentionally minimal rather than a full security operations deployment.
The example references pre-existing infrastructure such as a Sentinel workspace and resource group, and an active Microsoft Defender for Endpoint subscription. It focuses on connector registration rather than provisioning the workspace or configuring Defender itself.
To keep things focused, common connector patterns are omitted, including:
- Tenant ID specification (tenantId)
- Data type filtering (dataTypes)
- Connector state management and monitoring
- Authentication and permission configuration
These omissions are intentional: the goal is to illustrate how the data connector is wired, not provide a drop-in security operations module. See the MDATPDataConnector resource reference for all available configuration options.
Let's configure Azure MDATP Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
kind property is required and must be set to MicrosoftDefenderAdvancedThreatProtection.tenantId property is optional. It specifies the tenant id to connect to and retrieve data from.MDATPDataConnector resource type. Use this resource specifically for Microsoft Defender Advanced Threat Protection connections.Resource Properties & Immutability
dataConnectorId, resourceGroupName, and workspaceName properties are immutable and cannot be modified after creation.