RFPD-77178: log ingestion api 2#21
Conversation
| } | ||
| }, | ||
| "Send_Data_-_Save_Lookup_results_to_LogAnalytics_Custom_Log": { | ||
| "Compose_lookup_row": { |
There was a problem hiding this comment.
why did the previous version not need this?
There was a problem hiding this comment.
The old version used the azureloganalyticsdatacollector connector which auto-flattened whatever JSON it received into _s/_t/_d columns — no schema, no named fields required.
The new Log Ingestion API is schema-driven: the DCR declares specific columns (risky_user_email, data) and the transformKql extracts them by name. The raw Credential_Lookup_V2 response body has identities, count, next_offset at the top level — neither risky_user_email nor data. So we need Compose to explicitly shape the object with the named fields before POSTing, otherwise both columns would be null.
| "name": "transformed_rf_api_credential_dump_creds", | ||
| "value": { | ||
| "email": "@items('For_Each_-_Make_new_and_known_Credential_dumps_be_comparable')" | ||
| "email": "@string(items('For_Each_-_Make_new_and_known_Credential_dumps_be_comparable'))" |
There was a problem hiding this comment.
why do we need string?
There was a problem hiding this comment.
The credential_dumps items from the RF API are plain email strings (e.g. "user@domain.com"), not objects. When Logic Apps iterates a JSON array of strings, items() has type any.
We wrap each item in {"email": ...} to match the shape returned by the LA dedup query (| project email=email), so the contains() check works correctly.
@string(items(...)) coerces the raw any-typed value to a string scalar — without it Logic Apps may treat the item as a dynamic/object reference rather than a string, which would cause contains() to never match (silent dedup breakage).
| @@ -0,0 +1,326 @@ | |||
| { | |||
There was a problem hiding this comment.
should we also add connector tile? similar to alert importer
There was a problem hiding this comment.
Good point. I'll add it — modelled on the alert importer tile in azuredeploy-alert-importer.json.
aommm
force-pushed
the
rfpd-77178-log-ingestion-api-2
branch
from
856ac8a to
aad7680
Compare
- Add readme links to descriptionMarkdown on both tiles - Add Step 2 (RFI-CustomConnector) to both tiles - Alert importer: add Step 4 (Analytics Rule), fix permissions text - v3.0: Step 3 links to readme instead of listing playbooks inline
aommm
force-pushed
the
rfpd-77178-log-ingestion-api-2
branch
from
aad7680 to
daeed67
Compare
|
|
||
| ### This is a readme for the old version of Recorded Future Identity, for the new version based on Playbook Alerts, see [readme](../readme.md) | ||
|
|
||
| > [!IMPORTANT] |
There was a problem hiding this comment.
Note: I haven't reviewed this readme and made it Niklas-beautiful yet, it's just AI as of now
1 participant
Uh oh!
There was an error while loading. Please reload this page.