Azure Data Explorer

the azure data explorer connector enables seamless integration with swimlane, providing the ability to execute kql queries and retrieve query related information directly within automated workflows azure data explorer is a fast and highly scalable data exploration service for log and telemetry data the azure data explorer connector for swimlane turbine allows users to execute kql queries and retrieve detailed query information, enabling powerful data analysis within security workflows by integrating with azure data explorer, swimlane turbine users can enhance their security automation playbooks with advanced data analytics capabilities, streamline incident investigation, and gain deeper insights from their telemetry data limitations none to date supported versions this azure data explorer connector uses the latest version api additional docs azure data explorer authentication https //learn microsoft com/en us/kusto/api/rest/authentication?view=microsoft fabricazure data explorer api documentation link https //learn microsoft com/en us/kusto/api/rest/request?view=microsoft fabricazure data explorer cluster permissions https //learn microsoft com/en us/azure/data explorer/manage cluster permissions configuration prerequisites to utilize the azure data explorer connector with swimlane, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters cluster name the name of your azure data explorer cluster client id the application (client) id registered in azure active directory client secret the secret key generated for the registered application scopes the scopes of access requested for the token, typically in the format 'https // kusto windows net/ default' region the geographical region where your azure data explorer cluster is hosted authentication methods oauth 2 0 client credentials authentication cluster name name of the azure data explorer cluster to connect to client id application (client) id registered in azure ad to authenticate client secret secret generated for the registered application in azure ad scopes specific permissions that the application should request region geographic region where your azure data explorer cluster is hosted tenant id directory (tenant) id in azure ad associated with the service token url url to retrieve the oauth 2 0 token in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id azure data explorer cluster steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset password flow (delegated auth) use delegated permissions, instead of application permissions, and generate client id , tenant id , and client secret as described in the above client credential flow authentication we also need an username and a password for this authentication after generation of client id , tenant id , client secret go to azure data explorer and create a cluster open the cluster, in the left hand menu, under security + networking , select permissions select add , and select the role you want to assign after click on the role, a left side nav bar open and click on enterprise applicaitons tab search for the app which you want to give permissions and select the app capabilities this azure data explorer connector provides the following capabilities get query information launch kql query get query information retrieve details about a specific query in azure data explorer using provided parameters and headers link here https //learn microsoft com/en us/kusto/api/rest/request?view=microsoft fabric get query information executes a kusto query language (kql) query in azure data explorer with specified json body and headers link here https //learn microsoft com/en us/kusto/api/rest/request?view=microsoft fabric configurations azure data explorer oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required clustername azure data explorer cluster name string required region azure data explorer region string required token url token url format should be in the form of https //login microsoftonline com/{{tenant id}}/oauth2/token https //login microsoftonline com/{{tenant id}}/oauth2/token string optional client id the client id string required client secret the client secret string required resource permission scopes for this action string required tenant id the tenant id string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get query information retrieve details about a specific query in azure data explorer using provided csl parameters and headers endpoint url /v2/rest/query method get input argument name type required description db string optional the name of the database that is the target of the query or management command csl string required the text of the query or management command to execute properties string optional request properties that modify how the request is processed and its results headers object required http headers for the request host string required the qualified domain name that the request was sent to for example, help kusto windows net expect string optional the expected response from the server it can be set to 100 continue x ms client request id string optional a unique identifier for the request x ms user id string optional the same friendly name as x ms user x ms app string optional the friendly name of the application making the request x ms user string optional the friendly name of the user making the request x ms client version string optional the friendly version identifier for the client making the request x ms readonly string optional if specified, it forces the request to run in read only mode which prevents the request from changing data output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "tue, 04 feb 2025 12 04 15 gmt", "server" "kestrel", "cache control" "no store,no cache", "content encoding" "gzip", "pragma" "no cache", "transfer encoding" "chunked", "vary" "accept encoding", "x ms client request id" "unspecified;7d4ccafa 513a 4596 81c9 47a399a11f06", "x ms activity id" "2512d0de 7eaf 4409 84bb e0a1e16c6757", "strict transport security" "max age=2592000; includesubdomains" }, "reason" "ok", "json body" \[ { "frametype" "datasetheader", "isprogressive" false, "version" "v2 0", "isfragmented" false, "errorreportingplacement" "indata" }, { "frametype" "datatable", "tableid" 0, "tablekind" "queryproperties", "tablename" "@extendedproperties", "columns" \[ { "columnname" "tableid", "columntype" "int" }, { "columnname" "key", "columntype" "string" }, { "columnname" "value", "columntype" "dynamic" } ], "rows" \[ \[ 1, "visualization", "{\\"visualization\\"\ null,\\"title\\"\ null,\\"xcolumn\\"\ null,\\"series\\"\ null,\\"ycolumns\\"\ null,\\"anomalycolumns\\"\ null,\\"xtitle\\"\ null,\\"ytitle\\"\ null,\\"xaxis\\"\ null,\\"yaxis\\"\ null,\\"legend\\"\ null,\\"ysplit\\"\ null,\\"accumulate\\"\ false,\\"isquerysorted\\"\ false,\\"kind\\"\ null,\\"ymin\\" \\"nan\\",\\"ymax\\" \\"nan\\",\\"xmin\\"\ null,\\"xmax\\"\ null}" ] ] }, { "frametype" "datatable", "tableid" 1, "tablekind" "primaryresult", "tablename" "primaryresult", "columns" \[ { "columnname" "test", "columntype" "string" } ], "rows" \[ \[ "hello, world!" ] ] } ] } ] launch kql query executes a kusto query language (kql) query within azure data explorer using the provided json body and headers endpoint url /v2/rest/query method post input argument name type required description headers object required http headers for the request host string required the qualified domain name that the request was sent to for example, help kusto windows net expect string optional the expected response from the server it can be set to 100 continue x ms client request id string optional a unique identifier for the request x ms user id string optional the same friendly name as x ms user x ms app string optional the friendly name of the application making the request x ms user string optional the friendly name of the user making the request x ms client version string optional the friendly version identifier for the client making the request x ms readonly string optional if specified, it forces the request to run in read only mode which prevents the request from changing data db string optional the name of the database that is the target of the query or management command csl string required the text of the query or management command to execute properties string optional request properties that modify how the request is processed and its results output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "tue, 04 feb 2025 12 03 23 gmt", "server" "kestrel", "content encoding" "gzip", "transfer encoding" "chunked", "vary" "accept encoding", "x ms client request id" "unspecified;7d728610 38f7 49ea a001 3f3aafb89312", "x ms activity id" "14d87bfa d0ea 44d8 9da9 b50212715d72", "strict transport security" "max age=2592000; includesubdomains" }, "reason" "ok", "json body" \[ { "frametype" "datasetheader", "isprogressive" false, "version" "v2 0", "isfragmented" false, "errorreportingplacement" "indata" }, { "frametype" "datatable", "tableid" 0, "tablekind" "queryproperties", "tablename" "@extendedproperties", "columns" \[ { "columnname" "tableid", "columntype" "int" }, { "columnname" "key", "columntype" "string" }, { "columnname" "value", "columntype" "dynamic" } ], "rows" \[ \[ 1, "visualization", "{\\"visualization\\"\ null,\\"title\\"\ null,\\"xcolumn\\"\ null,\\"series\\"\ null,\\"ycolumns\\"\ null,\\"anomalycolumns\\"\ null,\\"xtitle\\"\ null,\\"ytitle\\"\ null,\\"xaxis\\"\ null,\\"yaxis\\"\ null,\\"legend\\"\ null,\\"ysplit\\"\ null,\\"accumulate\\"\ false,\\"isquerysorted\\"\ false,\\"kind\\"\ null,\\"ymin\\" \\"nan\\",\\"ymax\\" \\"nan\\",\\"xmin\\"\ null,\\"xmax\\"\ null}" ] ] }, { "frametype" "datatable", "tableid" 1, "tablekind" "primaryresult", "tablename" "primaryresult", "columns" \[ { "columnname" "test", "columntype" "string" } ], "rows" \[ \[ "hello, world!" ] ] } ] } ] response headers header description example cache control directives for caching mechanisms no store,no cache content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated tue, 04 feb 2025 12 04 15 gmt pragma http response header pragma no cache server information about the software used by the origin server kestrel strict transport security http response header strict transport security max age=2592000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x ms activity id http response header x ms activity id 14d87bfa d0ea 44d8 9da9 b50212715d72 x ms client request id http response header x ms client request id unspecified;7d4ccafa 513a 4596 81c9 47a399a11f06