View Source OffBroadway.Defender365.Producer (off_broadway_defender365 v1.0.0)

GenStage Producer for a stream of incidents from the Microsoft 365 Defender APIs.

producer-options

Producer options

  • :receive_interval - The duration (in milliseconds) for which the producer waits before making a request for more messages. Keep in mind that the 365 Defender API quota is 50 calls per minute and 1500 calls per hour. The default value is 5000.

  • :from_timestamp - If present, use this value to fetch incidents with "lastUpdateTime" greater or equal to given value.

  • :on_success - Configures the acking behaviour for successful messages. See the "Acknowledgements" section below for all the possible values. The default value is :ack.

  • :on_failure - Configures the acking behaviour for failed messages. See the "Acknowledgements" section below for all the possible values. The default value is :noop.

  • :incident_client - A module that implements the OffBroadway.Defender365.Client behaviour. This module is responsible for fetching and acknowledging the messages from the 365 Defender APIs. All options passed to the producer will also be forwarded to the client. The default value is OffBroadway.Defender365.IncidentClient.

  • :config - Required. A set of config options that overrides the default config for the incident_client module. Any option set here can also be configured in config.exs.

    • :tenant_id - Required. Tenant ID to consume incidents for

    • :client_id - Required. Client ID to use for obtaining authentication token

    • :client_secret - Required. Client secret to use for obtaining authentication token

acknowledgements

Acknowledgements

You can use on_success and on_failure options to control how messages are acknowledged. You can set these options when starting the Defender365 producer, or change them for each message through Broadway.Message.configure_ack/2. By default, successful messages are acked (:ack) and failed messages are not (:noop).

The possible values for :on_success and :on_failure are:

  • :ack - acknowledge the message. The 365 defender APIs does not have any concept of acking messages because we are just consuming messages from a web api endpoint. For now we are just executing a :telemetry event for acked messages.

  • :noop - do not acknowledge the message. No action are taken.

## Telemetry

This library exposes the following telemetry events:

* `[:off_broadway_defender365, :receive_messages, :start]` - Dispatched before receiving
  messages from the 365 Defender APIs.

  * measurement: `%{time: System.monotonic_time}`
  * metadata: `%{tenant_id: string, demand: integer}`

* `[:off_broadway_defender365, :receive_messages, :stop]` - Dispatched after messages have been
  received from the 365 Defender APIs and "wrapped".

  * measurement: `%{time: native_time}`
  * metadata:

  ```
  %{
    tenant_id: string,
    received: integer,
    demand: integer
  }
  ```

* `[:off_broadway_defender365, :receive_messages, :exception]` - Dispatched after a failure while
  receiving messages from the 365 Defender APIs.

  * measurement: `%{duration: native_time}`
  * metadata:

  ```
  %{
    tenant_id: string,
    demand: integer,
    kind: kind,
    reason: reason,
    stacktrace: stacktrace
  }
      ```

* `[:off_broadway_defender365, :receive_messages, :ack]` - Dispatched when acking a message.

  * measurement: `%{time: System.system_time, count: 1}`
  * meatadata:

  ```
  %{
    tenant_id: string,
    receipt: receipt
  }
  ```