Configure Azure Microsoft Threat Intelligence Data Connectors

The azure-native:securityinsights:MSTIDataConnector resource, part of the Pulumi Azure Native provider, connects Microsoft Sentinel workspaces to Microsoft Threat Intelligence feeds, enabling ingestion of threat indicators and emerging threat data. This guide focuses on two capabilities: threat feed configuration with historical data and minimal connector setup.

Data connectors attach to existing Microsoft Sentinel workspaces within Azure resource groups. The examples are intentionally small. Combine them with your own workspace configuration and access policies.

Enable Microsoft Emerging Threat Feed with lookback

Security teams integrate Microsoft’s threat intelligence feeds to enrich their Sentinel workspace with indicators of compromise and emerging threat data.

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const mstiDataConnector = new azure_native.securityinsights.MSTIDataConnector("mstiDataConnector", {
    dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
    dataTypes: {
        microsoftEmergingThreatFeed: {
            lookbackPeriod: "2024-11-01T00:00:00Z",
            state: azure_native.securityinsights.DataTypeState.Enabled,
        },
    },
    kind: "MicrosoftThreatIntelligence",
    resourceGroupName: "myRg",
    tenantId: "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

msti_data_connector = azure_native.securityinsights.MSTIDataConnector("mstiDataConnector",
    data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
    data_types={
        "microsoft_emerging_threat_feed": {
            "lookback_period": "2024-11-01T00:00:00Z",
            "state": azure_native.securityinsights.DataTypeState.ENABLED,
        },
    },
    kind="MicrosoftThreatIntelligence",
    resource_group_name="myRg",
    tenant_id="06b3ccb8-1384-4bcc-aec7-852f6d57161b",
    workspace_name="myWorkspace")

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewMSTIDataConnector(ctx, "mstiDataConnector", &securityinsights.MSTIDataConnectorArgs{
			DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
			DataTypes: &securityinsights.MSTIDataConnectorDataTypesArgs{
				MicrosoftEmergingThreatFeed: &securityinsights.MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs{
					LookbackPeriod: pulumi.String("2024-11-01T00:00:00Z"),
					State:          pulumi.String(securityinsights.DataTypeStateEnabled),
				},
			},
			Kind:              pulumi.String("MicrosoftThreatIntelligence"),
			ResourceGroupName: pulumi.String("myRg"),
			TenantId:          pulumi.String("06b3ccb8-1384-4bcc-aec7-852f6d57161b"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var mstiDataConnector = new AzureNative.SecurityInsights.MSTIDataConnector("mstiDataConnector", new()
    {
        DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
        DataTypes = new AzureNative.SecurityInsights.Inputs.MSTIDataConnectorDataTypesArgs
        {
            MicrosoftEmergingThreatFeed = new AzureNative.SecurityInsights.Inputs.MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs
            {
                LookbackPeriod = "2024-11-01T00:00:00Z",
                State = AzureNative.SecurityInsights.DataTypeState.Enabled,
            },
        },
        Kind = "MicrosoftThreatIntelligence",
        ResourceGroupName = "myRg",
        TenantId = "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
        WorkspaceName = "myWorkspace",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MSTIDataConnector;
import com.pulumi.azurenative.securityinsights.MSTIDataConnectorArgs;
import com.pulumi.azurenative.securityinsights.inputs.MSTIDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var mstiDataConnector = new MSTIDataConnector("mstiDataConnector", MSTIDataConnectorArgs.builder()
            .dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
            .dataTypes(MSTIDataConnectorDataTypesArgs.builder()
                .microsoftEmergingThreatFeed(MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs.builder()
                    .lookbackPeriod("2024-11-01T00:00:00Z")
                    .state("Enabled")
                    .build())
                .build())
            .kind("MicrosoftThreatIntelligence")
            .resourceGroupName("myRg")
            .tenantId("06b3ccb8-1384-4bcc-aec7-852f6d57161b")
            .workspaceName("myWorkspace")
            .build());

    }
}

resources:
  mstiDataConnector:
    type: azure-native:securityinsights:MSTIDataConnector
    properties:
      dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
      dataTypes:
        microsoftEmergingThreatFeed:
          lookbackPeriod: 2024-11-01T00:00:00Z
          state: Enabled
      kind: MicrosoftThreatIntelligence
      resourceGroupName: myRg
      tenantId: 06b3ccb8-1384-4bcc-aec7-852f6d57161b
      workspaceName: myWorkspace

The dataTypes property configures which threat feeds to enable. The microsoftEmergingThreatFeed block controls the Microsoft Emerging Threat Feed specifically, with lookbackPeriod defining how far back to retrieve historical indicators (here, from November 1, 2024). The state property enables the feed, and kind identifies this as a Microsoft Threat Intelligence connector. The tenantId specifies which Azure AD tenant’s data to ingest.

Connect with minimal configuration

Some connector types require only workspace identification without additional data type configuration.

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const mstiDataConnector = new azure_native.securityinsights.MSTIDataConnector("mstiDataConnector", {
    dataConnectorId: "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
    resourceGroupName: "myRg",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

msti_data_connector = azure_native.securityinsights.MSTIDataConnector("mstiDataConnector",
    data_connector_id="8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
    resource_group_name="myRg",
    workspace_name="myWorkspace")

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewMSTIDataConnector(ctx, "mstiDataConnector", &securityinsights.MSTIDataConnectorArgs{
			DataConnectorId:   pulumi.String("8c569548-a86c-4fb4-8ae4-d1e35a6146f8"),
			ResourceGroupName: pulumi.String("myRg"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var mstiDataConnector = new AzureNative.SecurityInsights.MSTIDataConnector("mstiDataConnector", new()
    {
        DataConnectorId = "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
        ResourceGroupName = "myRg",
        WorkspaceName = "myWorkspace",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MSTIDataConnector;
import com.pulumi.azurenative.securityinsights.MSTIDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var mstiDataConnector = new MSTIDataConnector("mstiDataConnector", MSTIDataConnectorArgs.builder()
            .dataConnectorId("8c569548-a86c-4fb4-8ae4-d1e35a6146f8")
            .resourceGroupName("myRg")
            .workspaceName("myWorkspace")
            .build());

    }
}

resources:
  mstiDataConnector:
    type: azure-native:securityinsights:MSTIDataConnector
    properties:
      dataConnectorId: 8c569548-a86c-4fb4-8ae4-d1e35a6146f8
      resourceGroupName: myRg
      workspaceName: myWorkspace

This minimal configuration creates a connector using workspace-level defaults. The dataConnectorId uniquely identifies the connector instance, while resourceGroupName and workspaceName specify where to create it. Without explicit dataTypes configuration, the connector uses default settings or relies on configuration through other mechanisms.

Beyond these examples

These snippets focus on specific connector-level features: threat feed configuration with lookback periods and minimal connector provisioning. They’re intentionally minimal rather than full threat intelligence integrations.

The examples reference pre-existing infrastructure such as Microsoft Sentinel workspaces and Azure resource groups. They focus on configuring the connector rather than provisioning the underlying workspace.

To keep things focused, common connector patterns are omitted, including:

  • Data type state management (enabling/disabling feeds)
  • Tenant ID specification for multi-tenant scenarios
  • Connector kind selection (different threat intelligence sources)
  • ETags for optimistic concurrency control

These omissions are intentional: the goal is to illustrate how each connector feature is wired, not provide drop-in threat intelligence modules. See the MSTIDataConnector resource reference for all available configuration options.

Let's configure Azure Microsoft Threat Intelligence Data Connectors

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Configuration & Required Properties
What value must I use for the kind property?
The kind property must be set to "MicrosoftThreatIntelligence".
Is the dataTypes property required?
The schema marks dataTypes as required, but examples 2-4 omit it entirely. Include dataTypes when configuring the Microsoft Emerging Threat Feed; it may be optional for other connector configurations.
How do I configure the Microsoft Emerging Threat Feed?
Set dataTypes.microsoftEmergingThreatFeed with a lookbackPeriod (ISO 8601 timestamp like "2024-11-01T00:00:00Z") and state (Enabled or Disabled).
Resource Identity & Immutability
What properties can't I change after creating the connector?
Three properties are immutable: dataConnectorId, resourceGroupName, and workspaceName. Changing any of these requires recreating the resource.
API Versioning
What API version does this resource use?
This resource uses Azure REST API version 2024-09-01. In version 2.x of the Azure Native provider, it used API version 2023-02-01.
What's the difference between the connector types in the examples?
The examples show titles like “Office365 data connector” and “Threat Intelligence Platform data connector,” but all use the same MSTIDataConnector resource type with kind set to "MicrosoftThreatIntelligence".

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides GCP Guides