Doc fixes

blackstork-io · Nov 14, 2024 · 4739fc7 · 4739fc7
1 parent 30d9ed0
commit 4739fc7
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 6 deletions.
diff --git a/docs/plugins/microsoft/data-sources/microsoft_graph.md b/docs/plugins/microsoft/data-sources/microsoft_graph.md
@@ -109,7 +109,7 @@ data microsoft_graph {
   # Default value:
   size = 50
 
-  # Indicates if API endpoint serves a single object. If set to `true`, `query_params` and `size` arguments are ignored.
+  # Indicates if API endpoint serves a single object.
   #
   # Optional bool.
   # Default value:

diff --git a/docs/plugins/microsoft/data-sources/microsoft_security.md b/docs/plugins/microsoft/data-sources/microsoft_security.md
@@ -84,13 +84,13 @@ The data source supports the following execution arguments:
 
 ```hcl
 data microsoft_security {
-  # The endpoint to query
+  # API endpoint to query
   #
   # Required string.
   # For example:
   endpoint = "/users"
 
-  # The query parameters
+  # HTTP query parameters
   #
   # Optional map of string.
   # Default value:

diff --git a/docs/plugins/microsoft/data-sources/microsoft_security_query.md b/docs/plugins/microsoft/data-sources/microsoft_security_query.md
@@ -0,0 +1,93 @@
+---
+title: "`microsoft_security_query` data source"
+plugin:
+  name: blackstork/microsoft
+  description: "The `microsoft_defender_query` data source queries Microsoft Security API"
+  tags: []
+  version: "v0.4.2"
+  source_github: "https://github.com/blackstork-io/fabric/tree/main/internal/microsoft/"
+resource:
+  type: data-source
+type: docs
+---
+
+{{< breadcrumbs 2 >}}
+
+{{< plugin-resource-header "blackstork/microsoft" "microsoft" "v0.4.2" "microsoft_security_query" "data source" >}}
+
+## Description
+The `microsoft_defender_query` data source queries Microsoft Security API.
+
+## Installation
+
+To use `microsoft_security_query` data source, you must install the plugin `blackstork/microsoft`.
+
+To install the plugin, add the full plugin name to the `plugin_versions` map in the Fabric global configuration block (see [Global configuration]({{< ref "configs.md#global-configuration" >}}) for more details), as shown below:
+
+```hcl
+fabric {
+  plugin_versions = {
+    "blackstork/microsoft" = ">= v0.4.2"
+  }
+}
+```
+
+Note the version constraint set for the plugin.
+
+## Configuration
+
+The data source supports the following configuration arguments:
+
+```hcl
+config data microsoft_security_query {
+  # The Azure client ID
+  #
+  # Required string.
+  # For example:
+  client_id = "some string"
+
+  # The Azure client secret. Required if `private_key_file` or `private_key` is not provided.
+  #
+  # Optional string.
+  # Default value:
+  client_secret = null
+
+  # The Azure tenant ID
+  #
+  # Required string.
+  # For example:
+  tenant_id = "some string"
+
+  # The path to the private key file. Ignored if `private_key` or `client_secret` is provided.
+  #
+  # Optional string.
+  # Default value:
+  private_key_file = null
+
+  # The private key contents. Ignored if `client_secret` is provided.
+  #
+  # Optional string.
+  # Default value:
+  private_key = null
+
+  # The key passphrase. Ignored if `client_secret` is provided.
+  #
+  # Optional string.
+  # Default value:
+  key_passphrase = null
+}
+```
+
+## Usage
+
+The data source supports the following execution arguments:
+
+```hcl
+data microsoft_security_query {
+  # Advanced hunting query to run
+  #
+  # Required string.
+  # For example:
+  query = "DeviceRegistryEvents | where Timestamp >= ago(30d) | where isnotempty(RegistryKey) and isnotempty(RegistryValueName) | limit 5"
+}
+```
diff --git a/docs/plugins/plugins.json b/docs/plugins/plugins.json
@@ -500,6 +500,21 @@
           "size"
         ]
       },
+      {
+        "name": "microsoft_security_query",
+        "type": "data-source",
+        "config_params": [
+          "client_id",
+          "client_secret",
+          "key_passphrase",
+          "private_key",
+          "private_key_file",
+          "tenant_id"
+        ],
+        "arguments": [
+          "query"
+        ]
+      },
       {
         "name": "microsoft_sentinel_incidents",
         "type": "data-source",

diff --git a/internal/microsoft/data_microsoft_security_query.go b/internal/microsoft/data_microsoft_security_query.go
@@ -59,9 +59,12 @@ func makeMicrosoftSecurityQueryDataSource(loader MicrosoftSecurityClientLoadFn)
 		Args: &dataspec.RootSpec{
 			Attrs: []*dataspec.AttrSpec{
 				{
-					Name:        "query",
-					Doc:         "Advanced hunting query to run",
-					Type:        cty.String,
+					Name: "query",
+					Doc:  "Advanced hunting query to run",
+					Type: cty.String,
+					ExampleVal: cty.StringVal(
+						"DeviceRegistryEvents | where Timestamp >= ago(30d) | where isnotempty(RegistryKey) and isnotempty(RegistryValueName) | limit 5",
+					),
 					Constraints: constraint.RequiredNonNull,
 				},
 			},