-
Notifications
You must be signed in to change notification settings - Fork 1.6k
/
AzureDataExplorer.yml
567 lines (566 loc) · 25.9 KB
/
AzureDataExplorer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
category: Analytics & SIEM
commonfields:
id: AzureDataExplorer
version: -1
configuration:
- name: cluster_url
display: Cluster URL (e.g. https://help.kusto.windows.net)
required: true
defaultvalue: https://help.kusto.windows.net
type: 0
additionalinfo: null
- name: client_id
display: Application ID
required: true
defaultvalue: a9ce8db2-847a-46af-9bfb-725d8a8d3c53
type: 0
additionalinfo: null
- name: client_activity_prefix
display: Client Activity Prefix
required: true
defaultvalue: XSOAR-DataExplorer
type: 0
additionalinfo: "A customized prefix of the client activity identifier for the
query execution. For example, for a prefix value of 'XSOAR-DataExplorer',
the client activity ID will be in the format
of: 'XSOAR-DataExplorer;<UUID>'."
- name: insecure
display: Trust any certificate (not secure)
required: false
defaultvalue: "false"
type: 8
additionalinfo: null
- name: proxy
display: Use system proxy settings
required: false
defaultvalue: "false"
type: 8
additionalinfo: null
- name: authentication_type
display: Authentication Type
required: true
defaultvalue: Device Code
type: 15
additionalinfo: Type of authentication - could be Authorization Code
Flow (recommended) or Device Code Flow
options:
- Device Code
- Authorization Code
- name: tenant_id
display: Tenant ID (for Authorization Code mode)
required: false
defaultvalue: null
type: 0
additionalinfo: ""
- name: credentials
display: Client Secret (for Authorization Code mode)
required: false
defaultvalue: null
type: 9
additionalinfo: ""
displaypassword: Client Secret (for Authorization Code mode)
hiddenusername: true
- name: redirect_uri
display: Application redirect URI (for Authorization Code mode)
required: false
defaultvalue:
type: 0
additionalinfo: ""
- name: auth_code
display: Authorization code
required: false
defaultvalue:
type: 9
additionalinfo: for Authorization Code mode - received from the authorization step. see Detailed Instructions (?) section
displaypassword: Authorization code
hiddenusername: true
description: Use the Azure Data Explorer integration to collect and analyze data
inside Azure Data Explorer clusters, and to manage search queries.
display: Azure Data Explorer
name: AzureDataExplorer
script:
commands:
- arguments:
- default: false
description: Kusto Query Language (KQL) search query to execute on given database.
isArray: false
name: query
required: true
secret: false
- default: false
description: The name of the database to execute the query on.
isArray: false
name: database_name
required: true
secret: false
- default: false
defaultValue: "5"
description: The timeout for the execution of the search query on the server
side. The timeout is a float number in minutes that ranges from 0 to
60.
isArray: false
name: timeout
required: false
secret: false
deprecated: false
description: Execute a Kusto Query Language (KQL) query against the given
database inside a cluster. The Kusto query is a read-only request to
process data and return results. To learn more about KQL go to
https://docs.microsoft.com/en-us/azure/kusto/query/.
execution: false
name: azure-data-explorer-search-query-execute
outputs:
- contextPath: AzureDataExplorer.SearchQueryResults.Query
description: The executed query on the given database.
type: String
- contextPath: AzureDataExplorer.SearchQueryResults.ClientActivityID
description: The Client Activity ID. A unique identifier of the executed query.
type: String
- contextPath: AzureDataExplorer.SearchQueryResults.PrimaryResults
description: The results of the query execution.
type: Unknown
- contextPath: AzureDataExplorer.SearchQueryResults.Database
description: The database against which the query will be executed.
type: String
- arguments:
- default: false
description: "The name of the database from which to list the completed search
queries. "
isArray: false
name: database_name
required: true
secret: false
- default: false
description: The client activity ID property of the search query. Use this value
to get a specific search query.
isArray: false
name: client_activity_id
required: false
secret: false
- default: false
defaultValue: "50"
description: The maximum number of completed queries to return.
isArray: false
name: limit
required: false
secret: false
- default: false
defaultValue: "1"
description: The page number from which to start a search.
isArray: false
name: page
required: false
secret: false
- default: false
description: The maximum number of completed queries to return per page. If this
argument is not provided, an automatic pagination will be made
according to the limit argument.
isArray: false
name: page_size
required: false
secret: false
deprecated: false
description: List search queries that have reached a final state in the given
database. A database admin or database monitor can see any command that
was invoked on their database. Other users can only see queries that
they themselves invoked.
execution: false
name: azure-data-explorer-search-query-list
outputs:
- contextPath: AzureDataExplorer.SearchQuery.ClientActivityId
description: The client activity ID. A unique identifier of the query execution.
type: String
- contextPath: AzureDataExplorer.SearchQuery.Text
description: The search query text.
type: String
- contextPath: AzureDataExplorer.SearchQuery.Database
description: The name of the database that the search query is run on.
type: String
- contextPath: AzureDataExplorer.SearchQuery.StartedOn
description: "The query execution start time in UTC. "
type: Date
- contextPath: AzureDataExplorer.SearchQuery.LastUpdatedOn
description: The last update time of the query.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.Duration
description: The search query runtime.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.State
description: The search query state.
type: String
- contextPath: AzureDataExplorer.SearchQuery.RootActivityId
description: The root activity ID.
type: String
- contextPath: AzureDataExplorer.SearchQuery.User
description: The user who performed the query.
type: String
- contextPath: AzureDataExplorer.SearchQuery.FailureReason
description: The reason for query failure.
type: String
- contextPath: AzureDataExplorer.SearchQuery.TotalCpu
description: The total CPU clock time (User mode + Kernel mode) consumed by this
query.
type: String
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Memory.Hits
description: The number of cache hits.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Memory.Misses
description: The number of cache misses.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Disk.Hits
description: The number of disk hits.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Disk.Misses
description: The number of disk misses.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Hot.HitBytes
description: The amount of data (in bytes) which was found in the hot data cache
of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Hot.MissBytes
description: The amount of data (in bytes) which was not found in the hot data
cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Hot.RetrieveBytes
description: The amount of data (in bytes) that was retrieved from hot data
cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Cold.HitBytes
description: The amount of data (in bytes) which was found in the cold data
cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Cold.MissBytes
description: The amount of data (in bytes) which was not found in the cold data
cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Cold.RetrieveBytes
description: The amount of data (in bytes) that was retrieved from cold data
cache during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.BypassBytes
description: The amount of data (in bytes) that was bypassed (reloaded) in the
cache of the table's extents during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.Application
description: The application name that invoked the command.
type: String
- contextPath: AzureDataExplorer.SearchQuery.MemoryPeak
description: The peak memory usage of the query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.MinDataScannedTime
description: The minimum data scan time.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.MaxDataScannedTime
description: The maximum data scan time.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.TotalExtentsCount
description: The total number of extents which were used during the query
execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.ScannedExtentsCount
description: The number of extents which were scanned during the query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.TotalRowsCount
description: The total row count of extents which were used during the query
execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.ScannedRowsCount
description: The number of scanned rows of an extent during query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.Principal
description: The principal that invoked the query.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.SecurityTokenPresent
description: Whether the security token is present in the request or not.
type: Boolean
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.AuthorizationScheme
description: The authorization scheme.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.RequestHostName
description: The hostname of the request.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.LocalClusterName
description: The cluster name.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.OriginClusterName
description: The origin cluster name.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.api_version
description: The API version.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.request_readonly
description: Whether the request is read-only or not.
type: Boolean
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.servertimeout
description: The server timeout value.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.servertimeoutorigin
description: The server timeout origin.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.query_datascope
description: The query datascope.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.query_fanout_nodes_percent
description: The percentage of the query nodes in the cluster to use per
subquery distribution operation.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.query_fanout_threads_percent
description: The percentage of CPUs the cluster will assign on each node.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.maxmemoryconsumptionperiterator
description: The maximum amount of memory that a single query plan result set
iterator can hold.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.max_memory_consumption_per_query_per_node
description: The maximum amount of memory that can be used on a single node for
a specific query.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.truncationmaxsize
description: The maximum overall data size returned by the query, in bytes.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.truncationmaxrecords
description: The maximum number of records returned by the query.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ResultSetStatistics.TableCount
description: The number of tables that were retrieved following search query
execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ResultSetStatistics.TablesStatistics.RowCount
description: The row count of the table retrieved following search query
execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ResultSetStatistics.TablesStatistics.TableSize
description: The total size in bytes of the table retrieved following search
query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.WorkloadGroup
description: The workload group which the query was assigned to. The query is
executed using the policies assigned to the workload group. There
are two pre-defined workload groups (internal and default) and up to
10 custom workload groups which may be defined at the cluster level.
type: String
- arguments:
- default: false
description: The database name.
isArray: false
name: database_name
required: true
secret: false
- default: false
description: The client activity ID property of the search query. Use this to
get a specific running search query.
isArray: false
name: client_activity_id
required: false
secret: false
- default: false
defaultValue: "50"
description: The maximum number of running queries to return.
isArray: false
name: limit
required: false
secret: false
- default: false
defaultValue: "1"
description: The page number from which to start a search.
isArray: false
name: page
required: false
secret: false
- default: false
description: The maximum number of running queries to return per page. If this
argument is not provided, an automatic pagination will be made
according to the limit argument.
isArray: false
name: page_size
required: false
secret: false
deprecated: false
description: >-
List currently executing search queries in the given database. A
database admin or database monitor can see any search query that was
invoked on their database.
Other users can only see search queries that they themselves invoked.
execution: false
name: azure-data-explorer-running-search-query-list
outputs:
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientActivityId
description: "The client activity ID. A unique identifier of the query
execution. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.Text
description: "The search query text. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.Database
description: "The name of the database that the search query is run on. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.StartedOn
description: "The query execution start time in UTC. "
type: Date
- contextPath: AzureDataExplorer.RunningSearchQuery.LastUpdatedOn
description: The last update time of the query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.Duration
description: The search query runtime duration.
type: Date
- contextPath: AzureDataExplorer.RunningSearchQuery.State
description: "The search query state. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.RootActivityId
description: The root activity ID.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.User
description: The user who performed the query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.FailureReason
description: The reason for query failure.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.TotalCpu
description: The total CPU clock time (User mode + Kernel mode) consumed by this
query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.CacheStatistics
description: The cache statistics.
type: Unknown
- contextPath: AzureDataExplorer.RunningSearchQuery.Application
description: The application name that invoked the command.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.MemoryPeak
description: The peak memory usage of the running query execution.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ScannedExtentsStatistics
description: The scanned extent count.
type: Unknown
- contextPath: AzureDataExplorer.RunningSearchQuery.Principal
description: The principal that invoked the query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.SecurityTokenPresent
description: Whether the security token is present in the request or not.
type: Boolean
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.AuthorizationScheme
description: The authorization scheme.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.RequestHostName
description: The hostname of the request.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.LocalClusterName
description: The cluster name.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.OriginClusterName
description: The origin cluster name.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.api_version
description: The API version.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.request_readonly
description: Whether the request is read-only or not.
type: Boolean
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.servertimeout
description: The server timeout value.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.servertimeoutorigin
description: The server timeout origin.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.query_datascope
description: The query datascope.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.query_fanout_nodes_percent
description: The percentage of the query nodes in the cluster to use per
subquery distribution operation.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.query_fanout_threads_percent
description: The percentage of CPUs the cluster will assign on each node.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.maxmemoryconsumptionperiterator
description: The maximum amount of memory that a single query plan result set
iterator can hold.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.max_memory_consumption_per_query_per_node
description: The maximum amount of memory that can be used on a single node for
a specific query.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.truncationmaxsize
description: The maximum overall data size returned by the query, in bytes.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.truncationmaxrecords
description: The maximum number of records returned by the query.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ResultSetStatistics
description: The result set statistics.
type: Unknown
- contextPath: AzureDataExplorer.RunningSearchQuery.WorkloadGroup
description: The workload group.
type: String
- arguments:
- default: false
description: The client activity ID of the query to delete.
isArray: false
name: client_activity_id
required: true
secret: false
- default: false
description: The database name.
isArray: false
name: database_name
required: true
secret: false
- default: false
description: "The reason for canceling the running query. "
isArray: false
name: reason
required: false
secret: false
deprecated: false
description: Starts a best-effort attempt to cancel a specific running search
query in the specified database.
execution: false
name: azure-data-explorer-running-search-query-cancel
outputs:
- contextPath: AzureDataExplorer.CanceledSearchQuery.RunningQueryCanceled
description: Whether the query was successfully canceled or not.
type: Boolean
- contextPath: AzureDataExplorer.CanceledSearchQuery.ClientRequestId
description: The client activity ID of the cancelled query.
type: String
- contextPath: AzureDataExplorer.CanceledSearchQuery.ReasonPhrase
description: The reason for canceling the running query.
type: String
- deprecated: false
description: Run this command to start the authorization process and follow the
instructions in the command results.
execution: false
name: azure-data-explorer-auth-start
arguments: []
outputs: []
- deprecated: false
description: Run this command to complete the authorization process. This should
be used after running the azure-data-explorer-auth-start command.
execution: false
name: azure-data-explorer-auth-complete
arguments: []
outputs: []
- deprecated: false
description: Run this command if for some reason you need to rerun the
authentication process.
execution: false
name: azure-data-explorer-auth-reset
arguments: []
outputs: []
- deprecated: false
description: Run this command to test the connectivity to Azure Data Explorer.
execution: false
name: azure-data-explorer-auth-test
arguments: []
outputs: []
dockerimage: demisto/azure-kusto-data:1.0.0.44974
feed: false
isfetch: false
longRunning: false
longRunningPort: false
runonce: false
script: "-"
subtype: python3
type: python
tests:
- playbook-AzureDataExplorer-Test
fromversion: 6.0.0