Configure Azure Microsoft Threat Intelligence Data Connectors

The azure-native:securityinsights:MSTIDataConnector resource, part of the Pulumi Azure Native provider, connects Microsoft Sentinel workspaces to Microsoft Threat Intelligence feeds for ingesting threat indicators and emerging threat data. This guide focuses on two capabilities: enabling threat feed ingestion with lookback periods and minimal connector configuration with defaults.

Data connectors attach to existing Sentinel workspaces within a resource group and require your Azure AD tenant ID. The examples are intentionally small. Combine them with your own workspace infrastructure and security policies.

Enable Microsoft Emerging Threat Feed with lookback

Security teams integrate Microsoft’s threat intelligence feeds to enrich their Sentinel workspace with indicators of compromise and emerging threat data.

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const mstiDataConnector = new azure_native.securityinsights.MSTIDataConnector("mstiDataConnector", {
    dataConnectorId: "c345bf40-8509-4ed2-b947-50cb773aaf04",
    dataTypes: {
        microsoftEmergingThreatFeed: {
            lookbackPeriod: "2024-11-01T00:00:00Z",
            state: azure_native.securityinsights.DataTypeState.Enabled,
        },
    },
    kind: "MicrosoftThreatIntelligence",
    resourceGroupName: "myRg",
    tenantId: "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

msti_data_connector = azure_native.securityinsights.MSTIDataConnector("mstiDataConnector",
    data_connector_id="c345bf40-8509-4ed2-b947-50cb773aaf04",
    data_types={
        "microsoft_emerging_threat_feed": {
            "lookback_period": "2024-11-01T00:00:00Z",
            "state": azure_native.securityinsights.DataTypeState.ENABLED,
        },
    },
    kind="MicrosoftThreatIntelligence",
    resource_group_name="myRg",
    tenant_id="06b3ccb8-1384-4bcc-aec7-852f6d57161b",
    workspace_name="myWorkspace")

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewMSTIDataConnector(ctx, "mstiDataConnector", &securityinsights.MSTIDataConnectorArgs{
			DataConnectorId: pulumi.String("c345bf40-8509-4ed2-b947-50cb773aaf04"),
			DataTypes: &securityinsights.MSTIDataConnectorDataTypesArgs{
				MicrosoftEmergingThreatFeed: &securityinsights.MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs{
					LookbackPeriod: pulumi.String("2024-11-01T00:00:00Z"),
					State:          pulumi.String(securityinsights.DataTypeStateEnabled),
				},
			},
			Kind:              pulumi.String("MicrosoftThreatIntelligence"),
			ResourceGroupName: pulumi.String("myRg"),
			TenantId:          pulumi.String("06b3ccb8-1384-4bcc-aec7-852f6d57161b"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var mstiDataConnector = new AzureNative.SecurityInsights.MSTIDataConnector("mstiDataConnector", new()
    {
        DataConnectorId = "c345bf40-8509-4ed2-b947-50cb773aaf04",
        DataTypes = new AzureNative.SecurityInsights.Inputs.MSTIDataConnectorDataTypesArgs
        {
            MicrosoftEmergingThreatFeed = new AzureNative.SecurityInsights.Inputs.MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs
            {
                LookbackPeriod = "2024-11-01T00:00:00Z",
                State = AzureNative.SecurityInsights.DataTypeState.Enabled,
            },
        },
        Kind = "MicrosoftThreatIntelligence",
        ResourceGroupName = "myRg",
        TenantId = "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
        WorkspaceName = "myWorkspace",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MSTIDataConnector;
import com.pulumi.azurenative.securityinsights.MSTIDataConnectorArgs;
import com.pulumi.azurenative.securityinsights.inputs.MSTIDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var mstiDataConnector = new MSTIDataConnector("mstiDataConnector", MSTIDataConnectorArgs.builder()
            .dataConnectorId("c345bf40-8509-4ed2-b947-50cb773aaf04")
            .dataTypes(MSTIDataConnectorDataTypesArgs.builder()
                .microsoftEmergingThreatFeed(MSTIDataConnectorDataTypesMicrosoftEmergingThreatFeedArgs.builder()
                    .lookbackPeriod("2024-11-01T00:00:00Z")
                    .state("Enabled")
                    .build())
                .build())
            .kind("MicrosoftThreatIntelligence")
            .resourceGroupName("myRg")
            .tenantId("06b3ccb8-1384-4bcc-aec7-852f6d57161b")
            .workspaceName("myWorkspace")
            .build());

    }
}

resources:
  mstiDataConnector:
    type: azure-native:securityinsights:MSTIDataConnector
    properties:
      dataConnectorId: c345bf40-8509-4ed2-b947-50cb773aaf04
      dataTypes:
        microsoftEmergingThreatFeed:
          lookbackPeriod: 2024-11-01T00:00:00Z
          state: Enabled
      kind: MicrosoftThreatIntelligence
      resourceGroupName: myRg
      tenantId: 06b3ccb8-1384-4bcc-aec7-852f6d57161b
      workspaceName: myWorkspace

The dataTypes property configures which feeds to enable. The microsoftEmergingThreatFeed block controls the Microsoft Emerging Threat Feed specifically. Setting lookbackPeriod to a past date (e.g., “2024-11-01T00:00:00Z”) tells Sentinel to ingest historical threat data from that point forward, not just new indicators. The state property enables the feed. The tenantId identifies your Azure AD tenant, and workspaceName specifies which Sentinel workspace receives the data.

Connect without explicit data type configuration

Some connector configurations rely on default settings rather than explicit data type configuration.

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const mstiDataConnector = new azure_native.securityinsights.MSTIDataConnector("mstiDataConnector", {
    dataConnectorId: "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
    resourceGroupName: "myRg",
    workspaceName: "myWorkspace",
});

import pulumi
import pulumi_azure_native as azure_native

msti_data_connector = azure_native.securityinsights.MSTIDataConnector("mstiDataConnector",
    data_connector_id="8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
    resource_group_name="myRg",
    workspace_name="myWorkspace")

package main

import (
	securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := securityinsights.NewMSTIDataConnector(ctx, "mstiDataConnector", &securityinsights.MSTIDataConnectorArgs{
			DataConnectorId:   pulumi.String("8c569548-a86c-4fb4-8ae4-d1e35a6146f8"),
			ResourceGroupName: pulumi.String("myRg"),
			WorkspaceName:     pulumi.String("myWorkspace"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;

return await Deployment.RunAsync(() => 
{
    var mstiDataConnector = new AzureNative.SecurityInsights.MSTIDataConnector("mstiDataConnector", new()
    {
        DataConnectorId = "8c569548-a86c-4fb4-8ae4-d1e35a6146f8",
        ResourceGroupName = "myRg",
        WorkspaceName = "myWorkspace",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.MSTIDataConnector;
import com.pulumi.azurenative.securityinsights.MSTIDataConnectorArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var mstiDataConnector = new MSTIDataConnector("mstiDataConnector", MSTIDataConnectorArgs.builder()
            .dataConnectorId("8c569548-a86c-4fb4-8ae4-d1e35a6146f8")
            .resourceGroupName("myRg")
            .workspaceName("myWorkspace")
            .build());

    }
}

resources:
  mstiDataConnector:
    type: azure-native:securityinsights:MSTIDataConnector
    properties:
      dataConnectorId: 8c569548-a86c-4fb4-8ae4-d1e35a6146f8
      resourceGroupName: myRg
      workspaceName: myWorkspace

This minimal configuration creates the connector with default data ingestion behavior. Without the dataTypes property, the connector uses its built-in defaults for which feeds to enable and how far back to look. The dataConnectorId uniquely identifies this connector instance within the workspace.

Beyond these examples

These snippets focus on specific connector-level features: Microsoft Emerging Threat Feed configuration and lookback period for historical data. They’re intentionally minimal rather than full threat intelligence integrations.

The examples reference pre-existing infrastructure such as Sentinel workspace in a resource group and Azure AD tenant ID. They focus on configuring the connector rather than provisioning the workspace itself.

To keep things focused, common connector patterns are omitted, including:

  • Connector state management (enabling/disabling feeds)
  • Multiple data type configurations
  • Etag-based concurrency control
  • Custom connector IDs vs auto-generated IDs

These omissions are intentional: the goal is to illustrate how each connector feature is wired, not provide drop-in security modules. See the MSTIDataConnector resource reference for all available configuration options.

Let's configure Azure Microsoft Threat Intelligence Data Connectors

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Configuration & Requirements
What are the required properties for creating an MSTI data connector?
You must provide dataTypes, kind (set to “MicrosoftThreatIntelligence”), and tenantId. However, examples show connectors can be created with minimal configuration (just dataConnectorId, resourceGroupName, and workspaceName).
What value should I use for the kind property?
Set kind to “MicrosoftThreatIntelligence” as this is the expected value for this data connector type.
Can I create a connector without specifying dataTypes?
Yes, examples show connectors created with only dataConnectorId, resourceGroupName, and workspaceName for Premium Microsoft Defender, Office365, and Threat Intelligence Platform configurations.
Immutability & Lifecycle
What properties can't I change after creating the connector?
The dataConnectorId, resourceGroupName, and workspaceName properties are immutable and cannot be changed after creation.
Data Types & Threat Feeds
How do I configure the Microsoft Emerging Threat Feed?
Configure dataTypes.microsoftEmergingThreatFeed with a lookbackPeriod (e.g., “2024-11-01T00:00:00Z”) and state set to “Enabled”.
What does the lookbackPeriod property control?
The lookbackPeriod specifies the historical date from which to start ingesting threat intelligence data, formatted as an ISO 8601 timestamp.
API Versions & Migration
What Azure API version does this resource use?
This resource uses Azure REST API version 2024-09-01. If you’re upgrading from provider v2.x, note that it previously used API version 2023-02-01.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides GCP Guides