mallcop
← Documentation

Connector Catalog

Connectors pull events from your platforms, normalize them into a common schema, and apply the airlock (sanitize, length-cap, wrap markers). The AI never sees raw API responses.

Connectors

Azure AWS CloudTrail GitHub Microsoft 365 Container Logs Vercel Supabase OpenClaw

Extending

Custom connectors Event schema

All connectors are plugins. Built-in connectors ship with mallcop. You can override any built-in connector by dropping a same-named plugin into plugins/connectors/ in your deployment repo.

Azure

The Azure connector polls Activity Log, Container Apps access logs, Cosmos DB diagnostics, and Microsoft Defender free tier findings.

Auth

Service principal with read-only roles. Minimum: Reader + Monitoring Reader.

# Environment variables
AZURE_TENANT_ID=your-tenant-id
AZURE_CLIENT_ID=your-sp-client-id
AZURE_CLIENT_SECRET=your-sp-secret
AZURE_SUBSCRIPTION_ID=your-sub-id  # optional if in mallcop.yaml

Event types

TypeDescriptionDetector Coverage
role_assignmentNew role assignment on subscription or resource grouppriv-escalation, new-external-access
permission_changePermission modification on any resourcepriv-escalation
service_principal_createdNew app registration or service principalnew-actor
resource_accessKey Vault access, Storage access, Cosmos DB queriesunusual-resource-access
admin_actionSubscription-level administrative operationsunusual-timing, priv-escalation
loginEntra ID sign-in eventsauth-failure-burst, unusual-timing
defender_alertMicrosoft Defender free-tier alertsAll detectors receive these

Configuration

connectors:
  - id: azure
    type: azure
    subscriptions:
      - "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    resource_groups: []          # empty = all
    include_container_logs: true # requires Log Analytics workspace
    lookback_hours: 8            # hours of history per scan

AWS CloudTrail

Polls CloudTrail LookupEvents API. Authenticated with SigV4. Covers IAM changes, security group modifications, S3 policy changes, and console logins.

Auth

AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...
AWS_DEFAULT_REGION=us-east-1

Minimum IAM permissions: cloudtrail:LookupEvents, cloudtrail:DescribeTrails.

Event types captured

  • IAM user and role changes (CreateUser, AttachRolePolicy, etc.)
  • Security group modifications (AuthorizeSecurityGroupIngress, etc.)
  • S3 bucket policy and ACL changes
  • Lambda function creation and permission changes
  • Console login events
  • Access key creation and deletion
  • CloudTrail configuration changes (trail disable, log file validation)

Configuration

connectors:
  - id: aws
    type: aws-cloudtrail
    region: us-east-1
    lookback_hours: 8

GitHub

Polls the GitHub org audit log API. Captures membership changes, permission changes, secret scanning alerts, Dependabot findings, and Actions workflow events.

Auth

GITHUB_TOKEN=github_pat_...    # personal access token or GitHub App token

Required scopes: read:audit_log, repo (for Dependabot/secret scanning).

Event types

TypeDescription
org_membershipMember added/removed from org
repo_permissionCollaborator added, permission changed
collaborator_addedExternal collaborator added to repo
secret_scanning_alertGitHub detected a secret in a commit
dependabot_alertDependency vulnerability found
workflow_runActions workflow triggered and completed
oauth_authorizationOAuth app authorized by org member

Configuration

connectors:
  - id: github
    type: github
    org: "your-org-name"
    include_dependabot: true
    include_secret_scanning: true

Microsoft 365

Uses the Office 365 Management Activity API. Covers Azure AD sign-ins, admin actions, Exchange mail rules, SharePoint access, and DLP policy matches. The API has a 7-day window - regular polling (every 6 hours) avoids gaps.

Auth

M365_TENANT_ID=your-tenant-id
M365_CLIENT_ID=your-app-client-id
M365_CLIENT_SECRET=your-app-secret

Register an Azure AD app with ActivityFeed.Read permission (Office 365 Management APIs). Admin consent required.

Event types

  • Azure AD sign-ins (success and failure)
  • Admin role changes
  • Exchange: mail rule creation, external forwarding, delegate access
  • SharePoint: external sharing, bulk download
  • DLP: policy matches, false positive feedback

Configuration

connectors:
  - id: m365
    type: m365
    tenant_id: "${M365_TENANT_ID}"

Container Logs

Queries Azure Log Analytics for container app stdout/stderr. Works with Azure Container Apps including scaled-to-zero applications. Parses structured log lines against app-specific templates; unmatched lines trigger the log-format-drift detector.

Auth

LOG_ANALYTICS_WORKSPACE_ID=your-workspace-id
# Auth reuses Azure SP credentials (AZURE_CLIENT_ID / AZURE_CLIENT_SECRET)

Configuration

connectors:
  - id: container-logs
    type: container-logs
    workspace_id: "${LOG_ANALYTICS_WORKSPACE_ID}"
    apps: []   # empty = all apps in workspace
    lookback_hours: 8

Use mallcop discover-app <app-name> to sample an app's logs and generate a parser template. The template lives in apps/<app-name>/parser.yaml and is updated by the self-improvement loop.

Vercel

Polls Vercel's deployment and audit log APIs. Captures deployment events, team membership changes, and audit log entries.

Auth

VERCEL_TOKEN=your-api-token    # Vercel account token
VERCEL_TEAM_ID=team_xxxxx     # optional, for team accounts

Event types

  • Deployment created, succeeded, failed
  • Team member added/removed
  • Project created/deleted
  • Domain configuration changes
  • Environment variable changes

Configuration

connectors:
  - id: vercel
    type: vercel
    team_id: "${VERCEL_TEAM_ID}"

Supabase

Auth audit logs, project configuration changes, and edge function monitoring.

Monitors your Supabase project for auth events (sign-ins, sign-ups, token refreshes), project configuration changes, and edge function deployments.

Event types

  • auth.signin - User sign-in events
  • auth.signup - New user registrations
  • auth.token_refresh - Token refresh events
  • project.config_change - Project setting modifications
  • edge_function.deploy - Edge function deployments

Configuration

connectors:
  - id: supabase
    type: supabase
    project_ref: "${SUPABASE_PROJECT_REF}"

Required secrets

  • SUPABASE_SERVICE_KEY - Supabase service role key

OpenClaw

AI agent skill integrity, behavior monitoring, and gateway security.

Monitors OpenClaw AI agent installations for skill integrity violations, behavior anomalies, and insecure gateway configurations.

Event types

  • skill.install - Skill installation events
  • skill.modify - Skill modification events
  • gateway.config_change - Gateway configuration changes
  • agent.behavior_anomaly - Agent behavior anomalies

Configuration

connectors:
  - id: openclaw
    type: openclaw
    gateway_url: "${OPENCLAW_GATEWAY_URL}"

Custom connectors

Scaffold a new connector with:

mallcop scaffold connector cloudflare

This generates plugins/connectors/cloudflare/ with: manifest.yaml, connector.py, tools.py, fixtures/, and tests.py.

The manifest declares capabilities, auth, and event types. mallcop verify checks that the implementation matches the manifest. Once verified, the connector integrates with all existing detectors and actors automatically.

Common event schema

All connectors emit events in a normalized format:

{
  "id": "evt-2026-03-11-azure-abc123",
  "timestamp": "2026-03-11T14:00:00Z",
  "source": "azure",
  "event_type": "role_assignment",
  "actor": "[USER_DATA_BEGIN]baron@3dl.dev[USER_DATA_END]",
  "target": "[USER_DATA_BEGIN]my-key-vault[USER_DATA_END]",
  "action": "role_assignment",
  "severity": "info",
  "metadata": {
    "role": "Key Vault Reader",
    "scope": "/subscriptions/xxx/resourceGroups/prod"
  },
  "raw": "..."   <-- never exposed to the LLM
}

User-controllable string fields are wrapped in [USER_DATA_BEGIN]...[USER_DATA_END] markers at ingest. The raw field stores the original API response but is never included in actor context. See Security for the full airlock architecture.