The azure-native:securityinsights:MDATPDataConnector resource, part of the Pulumi Azure Native provider, registers a Microsoft Defender for Endpoint data connector within a Sentinel workspace. This guide focuses on one capability: connecting Defender for Endpoint to Sentinel.
Data connectors link security products to Sentinel workspaces. The example is intentionally minimal. Extend it with tenant ID specification and data type filtering for production deployments.
Connect Microsoft Defender for Endpoint to Sentinel
Security teams integrate Microsoft Defender for Endpoint with Sentinel to centralize endpoint alerts alongside other security telemetry.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const mdatpDataConnector = new azure_native.securityinsights.MDATPDataConnector("mdatpDataConnector", {
dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
resourceGroupName: "myRg",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
mdatp_data_connector = azure_native.securityinsights.MDATPDataConnector("mdatpDataConnector",
data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
resource_group_name="myRg",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewMDATPDataConnector(ctx, "mdatpDataConnector", &securityinsights.MDATPDataConnectorArgs{
DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
ResourceGroupName: pulumi.String("myRg"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var mdatpDataConnector = new AzureNative.SecurityInsights.MDATPDataConnector("mdatpDataConnector", new()
{
DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
ResourceGroupName = "myRg",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MDATPDataConnector;
import com.pulumi.azurenative.securityinsights.MDATPDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var mdatpDataConnector = new MDATPDataConnector("mdatpDataConnector", MDATPDataConnectorArgs.builder()
.dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
.resourceGroupName("myRg")
.workspaceName("myWorkspace")
.build());
}
}
resources:
mdatpDataConnector:
type: azure-native:securityinsights:MDATPDataConnector
properties:
dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
resourceGroupName: myRg
workspaceName: myWorkspace
The dataConnectorId provides a unique identifier for this connector instance. The resourceGroupName and workspaceName specify where Sentinel stores the ingested data. Once registered, Defender for Endpoint alerts flow automatically into the workspace’s SecurityAlert table.
Beyond these examples
This snippet focuses on data connector registration. It’s intentionally minimal rather than a full security integration.
The example references pre-existing infrastructure such as a Sentinel workspace in a resource group and a Microsoft Defender for Endpoint subscription. It focuses on connector registration rather than provisioning the workspace or configuring Defender.
To keep things focused, common connector patterns are omitted, including:
- Tenant ID specification (tenantId property)
- Data type filtering (dataTypes property)
- Connector state management and validation
- Integration with other Microsoft security products
These omissions are intentional: the goal is to illustrate how the data connector is wired, not provide a drop-in security module. See the MDATP Data Connector resource reference for all available configuration options.
Let's configure Azure MDATP Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Setup
kind (must be ‘MicrosoftDefenderAdvancedThreatProtection’) and tenantId (the tenant ID to connect to).tenantId property is required but missing from all provided examples. You must include it when creating the connector, even though the examples omit it.Resource Lifecycle
dataConnectorId, resourceGroupName, and workspaceName. Changing these requires recreating the resource.Examples & Documentation
MDATPDataConnector resource with identical properties. The titles may be misleading.API & Migration
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}