Azure Log Analytics (Beta)

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments. This integration was integrated and tested with version 2020-03-01-preview of Azure Log Analytics

Authorize Cortex XSOAR for Azure Log Analytics

You need to grant Cortex XSOAR authorization to access Azure Log Analytics.

  1. Access the authorization flow.
  2. Click the Start Authorization Process button and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management.
  3. Click the Accept button and you will receive your ID, token, and key. You will need to enter these when you configure the Azure Log Analytics integration instance in Cortex XSOAR.

Authorize Cortex XSOAR for Azure Log Analytics (self-deployed configuration)

Follow these steps for a self-deployed configuration.

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article.
  2. Make sure the following permissions are granted for the app registration:
    • Azure Service Management - permission user_impersonation of type Delegated
    • Log Analytics API - permission Data.Read of type Delegated
  3. Copy the following URL and replace the CLIENT_ID and REDIRECT_URI with your own client ID and redirect URI, accordingly. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&resource=https://management.core.windows.net&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
  4. Enter the link and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  5. Copy the AUTH_CODE (without the “code=” prefix) and paste it in your instance configuration under the Authorization code parameter.
  6. Enter your client ID in the ID parameter.
  7. Enter your client secret in the Key parameter.
  8. Enter your tenant ID in the Token parameter.
  9. Enter your redirect URI in the Redirect URI parameter.

Get the additional instance parameters

To get the Subscription ID, Workspace Name, Workspace ID and Resource Group parameters, navigate in the Azure Portal to Azure Sentinel > YOUR-WORKSPACE > Settings and click on Workspace Settings tab.

Configure Azure Log Analytics on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Azure Log Analytics.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
auth_idID (received from the authorization step - see Detailed Instructions (?) section)True
refresh_tokenToken (received from the authorization step - see Detailed Instructions (?) section)True
enc_keyKey (received from the authorization step - see Detailed Instructions (?) section)True
self_deployedUse a self-deployed Azure applicationFalse
redirect_uriApplication redirect URI (for self-deployed mode)False
auth_codeAuthorization code (received from the authorization step - see Detailed Instructions (?) section)False
subscriptionIDSubscription IDTrue
resourceGroupNameResource Group NameTrue
workspaceNameWorkspace NameTrue
workspaceIDWorkspace ID (the UUID of the workspace, e.g. 123e4567-e89b-12d3-a456-426614174000)True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-log-analytics-execute-query


Executes an Analytics query for data.

Base Command

azure-log-analytics-execute-query

Input

Argument NameDescriptionRequired
queryThe query to execute.Required
timespanThe timespan over which to query data. This is an ISO8601 time period value. This timespan is applied in addition to any timespans specified in the query expression.Optional

Context Output

PathTypeDescription
AzureLogAnalytics.Query.QueryStringThe executed query.
AzureLogAnalytics.Query.TableNameStringThe name of the query table.

Command Example

!azure-log-analytics-execute-query query="Usage | take 10" workspace_id=WORKSPACE_ID

Human Readable Output

Query Results

PrimaryResult

Tenant IdComputerTime GeneratedSource SystemStart TimeEnd TimeResource UriData TypeSolutionBatches Within SlaBatches Outside SlaBatches CappedTotal BatchesAvg Latency In SecondsQuantityQuantity UnitIs BillableMeter IdLinked Meter IdType
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOperationLogManagement000000.00714MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.012602MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOfficeActivityOffice365/SecurityInsights000000.00201499908978072MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.009107MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage

azure-log-analytics-list-saved-searches


Gets the saved searches of the Log Analytics workspace.

Base Command

azure-log-analytics-list-saved-searches

Input

Argument NameDescriptionRequired
limitThe maximum number of saved searches to return. Default is 50.Optional
pageThe page number from which to start a search.Optional

Context Output

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringDisplay name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example

!azure-log-analytics-list-saved-searches limit=3

Human Readable Output

Saved searches

EtagIdCategoryDisplay NameFunction AliasFunction ParametersQueryTagsVersionType
W/"datetime'2020-07-05T13%3A38%3A41.053438Z'"test2category1test2heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-28T18%3A43%3A56.8625448Z'"test123Saved Search Test Categorytest123heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-30T11%3A41%3A35.1459664Z'"test1234testtestSecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")
2Microsoft.OperationalInsights/savedSearches

azure-log-analytics-get-saved-search-by-id


Gets the specified saved search from the Log Analytics workspace.

Base Command

azure-log-analytics-get-saved-search-by-id

Input

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required

Context Output

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax see the Microsoft documention, https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example

!azure-log-analytics-get-saved-search-by-id saved_search_id=test1234

Human Readable Output

Saved search test1234 properties

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testtestSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-create-or-update-saved-search


Creates or updates a saved search from the Log Analytics workspace.

Base Command

azure-log-analytics-create-or-update-saved-search

Input

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required
etagThe ETag of the saved search. This argument is required for updating an existing saved search.Optional
categoryThe category of the saved search. This helps users quickly find a saved search.Required
display_nameThe display name of the saved search.Required
function_aliasThe function alias if the query serves as a function.Optional
function_parametersThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.Optional
queryThe query expression for the saved search.Required
tagsThe tags attached to the saved search. Value should be in the following format: 'name=value;name=value'Optional

Context Output

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example

!azure-log-analytics-create-or-update-saved-search saved_search_id="test1234" category="test" display_name="new display name test" query=`SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")

Human Readable Output

Saved search test1234 properties

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testnew display name testSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-delete-saved-search


Deletes a specified saved search in the Log Analytics workspace.

Base Command

azure-log-analytics-delete-saved-search

Input

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required

Context Output

There is no context output for this command.

Command Example

!azure-log-analytics-delete-saved-search saved_search_id=test1234

Human Readable Output

Successfully deleted the saved search test1234.

azure-log-analytics-test


Tests connectivity to Azure Log Analytics.

Base Command

azure-log-analytics-test

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-log-analytics-test

Human Readable Output

✅ Success!