The azure-native:securityinsights:TIDataConnector resource, part of the Pulumi Azure Native provider, defines threat intelligence data connectors that import indicators of compromise into Microsoft Sentinel workspaces. This guide focuses on one capability: connecting external threat intelligence platforms with indicator configuration and historical data import.
Data connectors belong to Microsoft Sentinel workspaces and require Azure AD tenant permissions. The example is intentionally small. Combine it with your own workspace configuration, data retention policies, and indicator processing rules.
Connect a threat intelligence platform with lookback
Security teams integrate external threat intelligence platforms to enrich Sentinel with indicators from third-party feeds, importing historical data from a specified lookback period.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const tiDataConnector = new azure_native.securityinsights.TIDataConnector("tiDataConnector", {
dataConnectorId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
dataTypes: {
indicators: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
},
kind: "ThreatIntelligence",
resourceGroupName: "myRg",
tenantId: "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
tipLookbackPeriod: "2020-01-01T13:00:30.123Z",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
ti_data_connector = azure_native.securityinsights.TIDataConnector("tiDataConnector",
data_connector_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
data_types={
"indicators": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
},
kind="ThreatIntelligence",
resource_group_name="myRg",
tenant_id="06b3ccb8-1384-4bcc-aec7-852f6d57161b",
tip_lookback_period="2020-01-01T13:00:30.123Z",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewTIDataConnector(ctx, "tiDataConnector", &securityinsights.TIDataConnectorArgs{
DataConnectorId: pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
DataTypes: &securityinsights.TIDataConnectorDataTypesArgs{
Indicators: &securityinsights.TIDataConnectorDataTypesIndicatorsArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
},
Kind: pulumi.String("ThreatIntelligence"),
ResourceGroupName: pulumi.String("myRg"),
TenantId: pulumi.String("06b3ccb8-1384-4bcc-aec7-852f6d57161b"),
TipLookbackPeriod: pulumi.String("2020-01-01T13:00:30.123Z"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var tiDataConnector = new AzureNative.SecurityInsights.TIDataConnector("tiDataConnector", new()
{
DataConnectorId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
DataTypes = new AzureNative.SecurityInsights.Inputs.TIDataConnectorDataTypesArgs
{
Indicators = new AzureNative.SecurityInsights.Inputs.TIDataConnectorDataTypesIndicatorsArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
},
Kind = "ThreatIntelligence",
ResourceGroupName = "myRg",
TenantId = "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
TipLookbackPeriod = "2020-01-01T13:00:30.123Z",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.TIDataConnector;
import com.pulumi.azurenative.securityinsights.TIDataConnectorArgs;
import com.pulumi.azurenative.securityinsights.inputs.TIDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.TIDataConnectorDataTypesIndicatorsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var tiDataConnector = new TIDataConnector("tiDataConnector", TIDataConnectorArgs.builder()
.dataConnectorId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
.dataTypes(TIDataConnectorDataTypesArgs.builder()
.indicators(TIDataConnectorDataTypesIndicatorsArgs.builder()
.state("Enabled")
.build())
.build())
.kind("ThreatIntelligence")
.resourceGroupName("myRg")
.tenantId("06b3ccb8-1384-4bcc-aec7-852f6d57161b")
.tipLookbackPeriod("2020-01-01T13:00:30.123Z")
.workspaceName("myWorkspace")
.build());
}
}
resources:
tiDataConnector:
type: azure-native:securityinsights:TIDataConnector
properties:
dataConnectorId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
dataTypes:
indicators:
state: Enabled
kind: ThreatIntelligence
resourceGroupName: myRg
tenantId: 06b3ccb8-1384-4bcc-aec7-852f6d57161b
tipLookbackPeriod: 2020-01-01T13:00:30.123Z
workspaceName: myWorkspace
The kind property identifies this as a “ThreatIntelligence” connector for external platforms. The dataTypes configuration enables indicator ingestion by setting state to “Enabled”. The tipLookbackPeriod defines how far back to import historical indicators (here, from January 2020), and tenantId specifies which Azure AD tenant to authenticate against when accessing the threat intelligence source.
Beyond these examples
This snippet focuses on threat intelligence platform integration: indicator data type configuration and historical data import with lookback periods. It’s intentionally minimal rather than a full threat intelligence deployment.
The example references pre-existing infrastructure such as Microsoft Sentinel workspace, resource group, and Azure AD tenant with appropriate permissions. It focuses on configuring the data connector rather than provisioning the workspace or managing downstream analytics.
To keep things focused, common data connector patterns are omitted, including:
- Connector state management (enable/disable)
- Data refresh intervals and polling configuration
- Indicator filtering and transformation rules
- Integration with specific TIP vendors (TAXII, STIX)
These omissions are intentional: the goal is to illustrate how the threat intelligence connector is wired, not provide drop-in security modules. See the TIDataConnector resource reference for all available configuration options.
Let's configure Azure Threat Intelligence Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Management
dataConnectorId, resourceGroupName, and workspaceName. You’ll need to recreate the connector to change any of these.Configuration & Setup
dataConnectorId, resourceGroupName, and workspaceName.dataTypes.indicators.state (set to Enabled), kind (set to ThreatIntelligence), tenantId, and tipLookbackPeriod.kind property is required and should be set to ThreatIntelligence. While some examples omit it, explicitly setting it ensures compatibility with the schema requirements.