The azure-native:securityinsights:TIDataConnector resource, part of the Pulumi Azure Native provider, defines a threat intelligence data connector that imports indicators of compromise into Microsoft Sentinel workspaces. This guide focuses on one capability: external threat intelligence platform integration with historical data import.
Data connectors belong to Microsoft Sentinel workspaces and require tenant-level permissions to access threat intelligence feeds. The example is intentionally small. Combine it with your own workspace configuration and access policies.
Connect a threat intelligence platform with lookback
Security teams integrate external threat intelligence platforms to enrich Sentinel with indicators from third-party feeds, importing historical data from a specified lookback period.
import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
const tiDataConnector = new azure_native.securityinsights.TIDataConnector("tiDataConnector", {
dataConnectorId: "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
dataTypes: {
indicators: {
state: azure_native.securityinsights.DataTypeState.Enabled,
},
},
kind: "ThreatIntelligence",
resourceGroupName: "myRg",
tenantId: "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
tipLookbackPeriod: "2020-01-01T13:00:30.123Z",
workspaceName: "myWorkspace",
});
import pulumi
import pulumi_azure_native as azure_native
ti_data_connector = azure_native.securityinsights.TIDataConnector("tiDataConnector",
data_connector_id="73e01a99-5cd7-4139-a149-9f2736ff2ab5",
data_types={
"indicators": {
"state": azure_native.securityinsights.DataTypeState.ENABLED,
},
},
kind="ThreatIntelligence",
resource_group_name="myRg",
tenant_id="06b3ccb8-1384-4bcc-aec7-852f6d57161b",
tip_lookback_period="2020-01-01T13:00:30.123Z",
workspace_name="myWorkspace")
package main
import (
securityinsights "github.com/pulumi/pulumi-azure-native-sdk/securityinsights/v3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := securityinsights.NewTIDataConnector(ctx, "tiDataConnector", &securityinsights.TIDataConnectorArgs{
DataConnectorId: pulumi.String("73e01a99-5cd7-4139-a149-9f2736ff2ab5"),
DataTypes: &securityinsights.TIDataConnectorDataTypesArgs{
Indicators: &securityinsights.TIDataConnectorDataTypesIndicatorsArgs{
State: pulumi.String(securityinsights.DataTypeStateEnabled),
},
},
Kind: pulumi.String("ThreatIntelligence"),
ResourceGroupName: pulumi.String("myRg"),
TenantId: pulumi.String("06b3ccb8-1384-4bcc-aec7-852f6d57161b"),
TipLookbackPeriod: pulumi.String("2020-01-01T13:00:30.123Z"),
WorkspaceName: pulumi.String("myWorkspace"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureNative = Pulumi.AzureNative;
return await Deployment.RunAsync(() =>
{
var tiDataConnector = new AzureNative.SecurityInsights.TIDataConnector("tiDataConnector", new()
{
DataConnectorId = "73e01a99-5cd7-4139-a149-9f2736ff2ab5",
DataTypes = new AzureNative.SecurityInsights.Inputs.TIDataConnectorDataTypesArgs
{
Indicators = new AzureNative.SecurityInsights.Inputs.TIDataConnectorDataTypesIndicatorsArgs
{
State = AzureNative.SecurityInsights.DataTypeState.Enabled,
},
},
Kind = "ThreatIntelligence",
ResourceGroupName = "myRg",
TenantId = "06b3ccb8-1384-4bcc-aec7-852f6d57161b",
TipLookbackPeriod = "2020-01-01T13:00:30.123Z",
WorkspaceName = "myWorkspace",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azurenative.securityinsights.TIDataConnector;
import com.pulumi.azurenative.securityinsights.TIDataConnectorArgs;
import com.pulumi.azurenative.securityinsights.inputs.TIDataConnectorDataTypesArgs;
import com.pulumi.azurenative.securityinsights.inputs.TIDataConnectorDataTypesIndicatorsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var tiDataConnector = new TIDataConnector("tiDataConnector", TIDataConnectorArgs.builder()
.dataConnectorId("73e01a99-5cd7-4139-a149-9f2736ff2ab5")
.dataTypes(TIDataConnectorDataTypesArgs.builder()
.indicators(TIDataConnectorDataTypesIndicatorsArgs.builder()
.state("Enabled")
.build())
.build())
.kind("ThreatIntelligence")
.resourceGroupName("myRg")
.tenantId("06b3ccb8-1384-4bcc-aec7-852f6d57161b")
.tipLookbackPeriod("2020-01-01T13:00:30.123Z")
.workspaceName("myWorkspace")
.build());
}
}
resources:
tiDataConnector:
type: azure-native:securityinsights:TIDataConnector
properties:
dataConnectorId: 73e01a99-5cd7-4139-a149-9f2736ff2ab5
dataTypes:
indicators:
state: Enabled
kind: ThreatIntelligence
resourceGroupName: myRg
tenantId: 06b3ccb8-1384-4bcc-aec7-852f6d57161b
tipLookbackPeriod: 2020-01-01T13:00:30.123Z
workspaceName: myWorkspace
The kind property identifies this as a ThreatIntelligence connector. The dataTypes block enables indicator ingestion by setting state to Enabled. The tipLookbackPeriod defines how far back to import historical indicators (here, from January 2020). The tenantId specifies which Azure AD tenant’s threat intelligence feed to access.
Beyond these examples
This snippet focuses on threat intelligence platform integration: indicator data type configuration and historical data import with lookback periods. It’s intentionally minimal rather than a full threat intelligence deployment.
The example references pre-existing infrastructure such as Microsoft Sentinel workspace, resource group, and Azure AD tenant with appropriate permissions. It focuses on configuring the data connector rather than provisioning the workspace or managing access policies.
To keep things focused, common data connector patterns are omitted, including:
- Connector state management (enable/disable)
- Custom indicator filtering or transformation
- Multiple data type configurations beyond indicators
- Polling interval and refresh settings
These omissions are intentional: the goal is to illustrate how the threat intelligence connector is wired, not provide a drop-in security module. See the TIDataConnector resource reference for all available configuration options.
Let's configure Azure Threat Intelligence Data Connectors
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Required Properties
dataTypes, kind, and tenantId. The kind property must be set to ThreatIntelligence.dataConnectorId, resourceGroupName, and workspaceName, along with the three required properties (dataTypes, kind, and tenantId).dataTypes.indicators.state to either Enabled or Disabled within the dataTypes object.Immutability & Lifecycle
dataConnectorId, resourceGroupName, and workspaceName. Changing any of these will force resource replacement.Data Import & Lookback
2020-01-01T13:00:30.123Z.tipLookbackPeriod is optional. It defines the lookback period for importing the threat intelligence feed.