microsoft_security_query data source

blackstork/microsoft, v0.4.2

Description

The microsoft_defender_query data source queries Microsoft Security API.

Installation

To use the microsoft_security_query data source locally via blackstork-cli, you must declare the blackstork/microsoft plugin as a dependency in your global configuration block.

blackstork {
  plugin_versions = {
    "blackstork/microsoft" = ">= v0.4.2"
  }
}

After declaring the dependency, execute blackstork-cli install to fetch the plugin. See Configuration for details.

Configuration

This data source accepts the following configuration arguments within a config data microsoft_security_query block:

config data microsoft_security_query {
  # The Azure client ID
  #
  # Required string.
  #
  # For example:
  client_id = "some string"

  # The Azure client secret. Required if `private_key_file` or `private_key` is not provided.
  #
  # Optional string.
  # Default value:
  client_secret = null

  # The Azure tenant ID
  #
  # Required string.
  #
  # For example:
  tenant_id = "some string"

  # The path to the private key file. Ignored if `private_key` or `client_secret` is provided.
  #
  # Optional string.
  # Default value:
  private_key_file = null

  # The private key contents. Ignored if `client_secret` is provided.
  #
  # Optional string.
  # Default value:
  private_key = null

  # The key passphrase. Ignored if `client_secret` is provided.
  #
  # Optional string.
  # Default value:
  key_passphrase = null
}

Usage

This data source accepts the following arguments within a data microsoft_security_query block:

data microsoft_security_query {
  # Advanced hunting query to run
  #
  # Required string.
  #
  # For example:
  query = "DeviceRegistryEvents | where Timestamp >= ago(30d) | where isnotempty(RegistryKey) and isnotempty(RegistryValueName) | limit 5"
}