forked from demisto/content
-
Notifications
You must be signed in to change notification settings - Fork 13
/
AzureDataExplorer.yml
444 lines (443 loc) · 22.2 KB
/
AzureDataExplorer.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
category: Analytics & SIEM
commonfields:
id: AzureDataExplorer
version: -1
configuration:
- name: cluster_url
display: Cluster URL (e.g. https://help.kusto.windows.net)
required: true
defaultvalue: https://help.kusto.windows.net
type: 0
additionalinfo:
- name: client_id
display: Application ID
required: true
defaultvalue: a9ce8db2-847a-46af-9bfb-725d8a8d3c53
type: 0
additionalinfo:
- name: client_activity_prefix
display: Client Activity Prefix
required: true
defaultvalue: XSOAR-DataExplorer
type: 0
additionalinfo: "A customized prefix of the client activity identifier for the query execution. For example, for a prefix value of 'XSOAR-DataExplorer', the client activity ID will be in the format of: 'XSOAR-DataExplorer;<UUID>'."
- name: insecure
display: Trust any certificate (not secure)
defaultvalue: "false"
type: 8
additionalinfo:
required: false
- name: proxy
display: Use system proxy settings
defaultvalue: "false"
type: 8
additionalinfo:
required: false
- name: authentication_type
display: Authentication Type
required: true
defaultvalue: Device Code
type: 15
additionalinfo: Type of authentication - could be Authorization Code Flow (recommended) or Device Code Flow
options:
- Device Code
- Authorization Code
- name: tenant_id
display: Tenant ID (for Authorization Code mode)
defaultvalue:
type: 0
additionalinfo: ""
required: false
- name: credentials
display: Client Secret (for Authorization Code mode)
defaultvalue:
type: 9
additionalinfo: ""
displaypassword: Client Secret (for Authorization Code mode)
hiddenusername: true
required: false
- name: redirect_uri
display: Application redirect URI (for Authorization Code mode)
defaultvalue:
type: 0
additionalinfo: ""
required: false
- name: auth_code
display: Authorization code
defaultvalue:
type: 9
additionalinfo: for Authorization Code mode - received from the authorization step. see Detailed Instructions (?) section
displaypassword: Authorization code
hiddenusername: true
required: false
description: Use the Azure Data Explorer integration to collect and analyze data inside Azure Data Explorer clusters, and to manage search queries.
display: Azure Data Explorer
name: AzureDataExplorer
script:
commands:
- arguments:
- description: Kusto Query Language (KQL) search query to execute on given database.
name: query
required: true
- description: The name of the database to execute the query on.
name: database_name
required: true
- defaultValue: "5"
description: The timeout for the execution of the search query on the server side. The timeout is a float number in minutes that ranges from 0 to 60.
name: timeout
description: Execute a Kusto Query Language (KQL) query against the given database inside a cluster. The Kusto query is a read-only request to process data and return results. To learn more about KQL go to https://docs.microsoft.com/en-us/azure/kusto/query/.
name: azure-data-explorer-search-query-execute
outputs:
- contextPath: AzureDataExplorer.SearchQueryResults.Query
description: The executed query on the given database.
type: String
- contextPath: AzureDataExplorer.SearchQueryResults.ClientActivityID
description: The Client Activity ID. A unique identifier of the executed query.
type: String
- contextPath: AzureDataExplorer.SearchQueryResults.PrimaryResults
description: The results of the query execution.
type: Unknown
- contextPath: AzureDataExplorer.SearchQueryResults.Database
description: The database against which the query will be executed.
type: String
- arguments:
- description: "The name of the database from which to list the completed search queries. "
name: database_name
required: true
- description: The client activity ID property of the search query. Use this value to get a specific search query.
name: client_activity_id
- defaultValue: "50"
description: The maximum number of completed queries to return.
name: limit
- defaultValue: "1"
description: The page number from which to start a search.
name: page
- description: The maximum number of completed queries to return per page. If this argument is not provided, an automatic pagination will be made according to the limit argument.
name: page_size
description: List search queries that have reached a final state in the given database. A database admin or database monitor can see any command that was invoked on their database. Other users can only see queries that they themselves invoked.
name: azure-data-explorer-search-query-list
outputs:
- contextPath: AzureDataExplorer.SearchQuery.ClientActivityId
description: The client activity ID. A unique identifier of the query execution.
type: String
- contextPath: AzureDataExplorer.SearchQuery.Text
description: The search query text.
type: String
- contextPath: AzureDataExplorer.SearchQuery.Database
description: The name of the database that the search query is run on.
type: String
- contextPath: AzureDataExplorer.SearchQuery.StartedOn
description: "The query execution start time in UTC. "
type: Date
- contextPath: AzureDataExplorer.SearchQuery.LastUpdatedOn
description: The last update time of the query.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.Duration
description: The search query runtime.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.State
description: The search query state.
type: String
- contextPath: AzureDataExplorer.SearchQuery.RootActivityId
description: The root activity ID.
type: String
- contextPath: AzureDataExplorer.SearchQuery.User
description: The user who performed the query.
type: String
- contextPath: AzureDataExplorer.SearchQuery.FailureReason
description: The reason for query failure.
type: String
- contextPath: AzureDataExplorer.SearchQuery.TotalCpu
description: The total CPU clock time (User mode + Kernel mode) consumed by this query.
type: String
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Memory.Hits
description: The number of cache hits.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Memory.Misses
description: The number of cache misses.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Disk.Hits
description: The number of disk hits.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Disk.Misses
description: The number of disk misses.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Hot.HitBytes
description: The amount of data (in bytes) which was found in the hot data cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Hot.MissBytes
description: The amount of data (in bytes) which was not found in the hot data cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Hot.RetrieveBytes
description: The amount of data (in bytes) that was retrieved from hot data cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Cold.HitBytes
description: The amount of data (in bytes) which was found in the cold data cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Cold.MissBytes
description: The amount of data (in bytes) which was not found in the cold data cache of the table's extents, during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.Cold.RetrieveBytes
description: The amount of data (in bytes) that was retrieved from cold data cache during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.CacheStatistics.Shards.BypassBytes
description: The amount of data (in bytes) that was bypassed (reloaded) in the cache of the table's extents during the search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.Application
description: The application name that invoked the command.
type: String
- contextPath: AzureDataExplorer.SearchQuery.MemoryPeak
description: The peak memory usage of the query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.MinDataScannedTime
description: The minimum data scan time.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.MaxDataScannedTime
description: The maximum data scan time.
type: Date
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.TotalExtentsCount
description: The total number of extents which were used during the query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.ScannedExtentsCount
description: The number of extents which were scanned during the query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.TotalRowsCount
description: The total row count of extents which were used during the query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ScannedExtentsStatistics.ScannedRowsCount
description: The number of scanned rows of an extent during query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.Principal
description: The principal that invoked the query.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.SecurityTokenPresent
description: Whether the security token is present in the request or not.
type: Boolean
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.AuthorizationScheme
description: The authorization scheme.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.RequestHostName
description: The hostname of the request.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.LocalClusterName
description: The cluster name.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.OriginClusterName
description: The origin cluster name.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.api_version
description: The API version.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.request_readonly
description: Whether the request is read-only or not.
type: Boolean
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.servertimeout
description: The server timeout value.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.servertimeoutorigin
description: The server timeout origin.
type: String
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.query_datascope
description: The query datascope.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.query_fanout_nodes_percent
description: The percentage of the query nodes in the cluster to use per subquery distribution operation.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.query_fanout_threads_percent
description: The percentage of CPUs the cluster will assign on each node.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.maxmemoryconsumptionperiterator
description: The maximum amount of memory that a single query plan result set iterator can hold.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.max_memory_consumption_per_query_per_node
description: The maximum amount of memory that can be used on a single node for a specific query.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.truncationmaxsize
description: The maximum overall data size returned by the query, in bytes.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ClientRequestProperties.Options.truncationmaxrecords
description: The maximum number of records returned by the query.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ResultSetStatistics.TableCount
description: The number of tables that were retrieved following search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ResultSetStatistics.TablesStatistics.RowCount
description: The row count of the table retrieved following search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.ResultSetStatistics.TablesStatistics.TableSize
description: The total size in bytes of the table retrieved following search query execution.
type: Number
- contextPath: AzureDataExplorer.SearchQuery.WorkloadGroup
description: The workload group which the query was assigned to. The query is executed using the policies assigned to the workload group. There are two pre-defined workload groups (internal and default) and up to 10 custom workload groups which may be defined at the cluster level.
type: String
- arguments:
- description: The database name.
name: database_name
required: true
- description: The client activity ID property of the search query. Use this to get a specific running search query.
name: client_activity_id
- defaultValue: "50"
description: The maximum number of running queries to return.
name: limit
- defaultValue: "1"
description: The page number from which to start a search.
name: page
- description: The maximum number of running queries to return per page. If this argument is not provided, an automatic pagination will be made according to the limit argument.
name: page_size
description: >-
List currently executing search queries in the given database. A
database admin or database monitor can see any search query that was
invoked on their database.
Other users can only see search queries that they themselves invoked.
name: azure-data-explorer-running-search-query-list
outputs:
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientActivityId
description: "The client activity ID. A unique identifier of the query execution. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.Text
description: "The search query text. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.Database
description: "The name of the database that the search query is run on. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.StartedOn
description: "The query execution start time in UTC. "
type: Date
- contextPath: AzureDataExplorer.RunningSearchQuery.LastUpdatedOn
description: The last update time of the query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.Duration
description: The search query runtime duration.
type: Date
- contextPath: AzureDataExplorer.RunningSearchQuery.State
description: "The search query state. "
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.RootActivityId
description: The root activity ID.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.User
description: The user who performed the query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.FailureReason
description: The reason for query failure.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.TotalCpu
description: The total CPU clock time (User mode + Kernel mode) consumed by this query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.CacheStatistics
description: The cache statistics.
type: Unknown
- contextPath: AzureDataExplorer.RunningSearchQuery.Application
description: The application name that invoked the command.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.MemoryPeak
description: The peak memory usage of the running query execution.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ScannedExtentsStatistics
description: The scanned extent count.
type: Unknown
- contextPath: AzureDataExplorer.RunningSearchQuery.Principal
description: The principal that invoked the query.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.SecurityTokenPresent
description: Whether the security token is present in the request or not.
type: Boolean
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.AuthorizationScheme
description: The authorization scheme.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.RequestHostName
description: The hostname of the request.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.LocalClusterName
description: The cluster name.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.OriginClusterName
description: The origin cluster name.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.api_version
description: The API version.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.request_readonly
description: Whether the request is read-only or not.
type: Boolean
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.servertimeout
description: The server timeout value.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.servertimeoutorigin
description: The server timeout origin.
type: String
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.query_datascope
description: The query datascope.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.query_fanout_nodes_percent
description: The percentage of the query nodes in the cluster to use per subquery distribution operation.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.query_fanout_threads_percent
description: The percentage of CPUs the cluster will assign on each node.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.maxmemoryconsumptionperiterator
description: The maximum amount of memory that a single query plan result set iterator can hold.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.max_memory_consumption_per_query_per_node
description: The maximum amount of memory that can be used on a single node for a specific query.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.truncationmaxsize
description: The maximum overall data size returned by the query, in bytes.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ClientRequestProperties.Options.truncationmaxrecords
description: The maximum number of records returned by the query.
type: Number
- contextPath: AzureDataExplorer.RunningSearchQuery.ResultSetStatistics
description: The result set statistics.
type: Unknown
- contextPath: AzureDataExplorer.RunningSearchQuery.WorkloadGroup
description: The workload group.
type: String
- arguments:
- description: The client activity ID of the query to delete.
name: client_activity_id
required: true
- description: The database name.
name: database_name
required: true
- description: "The reason for canceling the running query. "
name: reason
description: Starts a best-effort attempt to cancel a specific running search query in the specified database.
name: azure-data-explorer-running-search-query-cancel
outputs:
- contextPath: AzureDataExplorer.CanceledSearchQuery.RunningQueryCanceled
description: Whether the query was successfully canceled or not.
type: Boolean
- contextPath: AzureDataExplorer.CanceledSearchQuery.ClientRequestId
description: The client activity ID of the cancelled query.
type: String
- contextPath: AzureDataExplorer.CanceledSearchQuery.ReasonPhrase
description: The reason for canceling the running query.
type: String
- description: Run this command to start the authorization process and follow the instructions in the command results.
name: azure-data-explorer-auth-start
arguments: []
outputs: []
- description: Run this command to complete the authorization process. This should be used after running the azure-data-explorer-auth-start command.
name: azure-data-explorer-auth-complete
arguments: []
outputs: []
- description: Run this command if for some reason you need to rerun the authentication process.
name: azure-data-explorer-auth-reset
arguments: []
outputs: []
- description: Run this command to test the connectivity to Azure Data Explorer.
name: azure-data-explorer-auth-test
arguments: []
outputs: []
- description: Generate the login url used for Authorization code flow.
name: azure-data-explorer-generate-login-url
arguments: []
dockerimage: demisto/azure-kusto-data:1.0.0.66840
runonce: false
script: "-"
subtype: python3
type: python
tests:
- playbook-AzureDataExplorer-Test
fromversion: 6.0.0