Skip to main content

Azure Log Analytics

This Integration is part of the Azure Log Analytics Pack.#

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments. This integration was integrated and tested with version 2022-10-01 of Azure Log Analytics.

Authorization#

In order to connect to the Azure Log Analytics use either the Cortex XSOAR Azure App or the Self-Deployed Azure App.

Depending on the authentication method that you use, the integration parameters might change.

Note: The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:

  • Application administrator
  • Application developer
  • Cloud application administrator

In addition, the user that granted the authorization needs to be assigned the Log Analytics Reader role. For the search job commands the user needs to be assigned the Log Analytics Contributor role.

To add these roles:
1. In the Azure portal, go to `Log Analytics workspace` and select the workspace you are using -> Access control (IAM).
2. From Access control (IAM) select: Add role assignment
3. Select the user that granted the authorization and assign the Roles.

For more information, refer to the following Microsoft article.

Cortex XSOAR Azure Application#

You need to grant Cortex XSOAR authorization to access Azure Log Analytics. For more information, refer to the following article.

Self Deployed Application#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, see the Microsoft article.

Required permissions#

  • Azure Service Management - permission user_impersonation of type Delegated
  • Log Analytics API - permission Data.Read of type Delegated

In the self-deployed mode you can authenticate, by using one of the following flows:

  • Authorization Code flow
  • Client Credentials flow

Authorization Code flow#


  1. In the instance configuration, select the Use a self-deployed Azure application - Authorization Code flow checkbox.
  2. Enter your client ID in the ID / Client ID parameter (credentials username).
  3. Enter your client secret in the Key / Client Secret parameter (credentials password).
  4. Enter your tenant ID in the Token parameter.
  5. Enter your redirect URI in the Redirect URI parameter.
  6. Save the integration settings.
  7. Run the !azure-log-analytics-generate-login-url command in the War Room and follow the instruction.
  8. Run the azure-log-analytics-test command to test the connection and the authorization process.

Client Credentials Flow#


Follow these steps for client-credentials configuration.

  1. In the instance configuration, select the Use a self-deployed Azure application - Client Credentials Authorization Flow checkbox.
  2. Enter your Client ID in the ID / Client ID parameter.
  3. Enter your Client Secret in the Key / Client Secret parameter.
  4. Enter your Tenant ID in the Tenant ID parameter.
  5. Click Test to validate the URLs, token, and connection.

Get the additional instance parameters#

To get the Subscription ID, Workspace Name, Workspace ID and Resource Group parameters, navigate in the Azure Portal to Azure Sentinel > YOUR-WORKSPACE > Settings and click the Workspace Settings tab.

Configure Azure Log Analytics on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Azure Log Analytics.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Token / Tenant IDReceived from the authorization process or from the self-deployed configuration process (find the tenant ID in your app overview page in the Azure portal)False
    Token / Tenant IDFalse
    ID / Client IDReceived from the authorization process or from the self-deployed configuration process.False
    Key / Client SecretFalse
    Certificate ThumbprintUsed for certificate authentication. As appears in the "Certificates & secrets" page of the app.False
    Certificate ThumbprintUsed for certificate authentication. As appears in the "Certificates & secrets" page of the app.False
    Private KeyUsed for certificate authentication. The private key of the registered certificate.False
    Use a self-deployed Azure application - Authorization Code flowCheck when authenticating using the Authorization Code flow.False
    Use a self-deployed Azure application - Client Credentials FlowCheck when authenticating using the Client Credentials flow.False
    Application redirect URI (for self-deployed mode)False
    Authorization codeGet the Authorization code from steps 3-5 in the self deployed authorization process.False
    Authorization codeGet the Authorization code from steps 3-5 in the self deployed authorization process.False
    Use Azure Managed IdentitiesRelevant only if the integration is running on Azure VM. If selected, authenticates based on the value provided for the Azure Managed Identities Client ID field. If no value is provided for the Azure Managed Identities Client ID field, authenticates based on the System Assigned Managed Identity. For additional information, see the Help tab.False
    Azure Managed Identities Client IDThe Managed Identities client id for authentication - relevant only if the integration is running on Azure VM.False
    Default Subscription IDThe parameter can be saved as 000-000 and added as an argument to each command, but Test button will fail.True
    Default Resource Group NameThe parameter can be saved as 000-000 and added as an argument to each command, but Test button will fail.True
    Default Workspace NameThe parameter can be saved as 000-000 and added as an argument to each command.True
    Default Workspace ID (the UUID of the workspace, e.g. 123e4567-e89b-12d3-a456-426614174000)The parameter can be saved as 000-000 and added as an argument to each command, but Test button will fail.True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Azure CloudAzure Cloud the K8S cluster resides in. See table below.False
    Server URLUse this option when required to customize the URL to the Azure management endpoint.False
  4. Azure cloud options

    Azure CloudDescription
    WorldwideThe publicly accessible Azure Cloud
    US GCCAzure cloud for the USA Government Cloud Community (GCC)
    US GCC-HighAzure cloud for the USA Government Cloud Community High (GCC-High)
    DoDAzure cloud for the USA Department of Defense (DoD)
    GermanyAzure cloud for the German Government
    ChinaAzure cloud for the Chinese Government
    CustomCustom endpoint configuration to the Azure cloud. See note below.
    • Note: In most cases, setting Azure cloud is preferred to setting Azure AD endpoint. Only use it in cases where a custom proxy URL is required for accessing a national cloud.
    • See further documentation in Using National Cloud.
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-log-analytics-execute-query#


Executes an Analytics query for data.

Base Command#

azure-log-analytics-execute-query

Input#

Argument NameDescriptionRequired
queryThe query to execute.Required
timespanThe timespan over which to query data. This is an ISO8601 time period value. This timespan is applied in addition to any timespans specified in the query expression.Optional
timeoutThe amount of time (in seconds) that a request will wait for the query response before a timeout occurs. Default is 10.Optional
workspace_idThe Workspace ID. Note: This argument will override the instance parameter 'Default Workspace ID'.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.Query.QueryStringThe executed query.
AzureLogAnalytics.Query.TableNameStringThe name of the query table.

Command Example#

!azure-log-analytics-execute-query query="Usage | take 10" workspace_id=WORKSPACE_ID

Human Readable Output#

Query Results#

PrimaryResult#

Tenant IdComputerTime GeneratedSource SystemStart TimeEnd TimeResource UriData TypeSolutionBatches Within SlaBatches Outside SlaBatches CappedTotal BatchesAvg Latency In SecondsQuantityQuantity UnitIs BillableMeter IdLinked Meter IdType
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOperationLogManagement000000.00714MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.012602MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOfficeActivityOffice365/SecurityInsights000000.00201499908978072MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.009107MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage

azure-log-analytics-test#


Tests connectivity to Azure Log Analytics.

Base Command#

azure-log-analytics-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-log-analytics-test

Human Readable Output#

✅ Success!

azure-log-analytics-list-saved-searches#


Gets the saved searches of the Log Analytics workspace.

Base Command#

azure-log-analytics-list-saved-searches

Input#

Argument NameDescriptionRequired
limitThe maximum number of saved searches to return. Default is 50.Optional
pageThe page number from which to start a search. Default is 0.Optional
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringDisplay name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax, refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-list-saved-searches limit=3

Human Readable Output#

Saved searches#

EtagIdCategoryDisplay NameFunction AliasFunction ParametersQueryTagsVersionType
W/"datetime'2020-07-05T13%3A38%3A41.053438Z'"test2category1test2heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-28T18%3A43%3A56.8625448Z'"test123Saved Search Test Categorytest123heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-30T11%3A41%3A35.1459664Z'"test1234testtestSecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")
2Microsoft.OperationalInsights/savedSearches

azure-log-analytics-get-saved-search-by-id#


Gets a specified saved search from the Log Analytics workspace.

Base Command#

azure-log-analytics-get-saved-search-by-id

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax see the Microsoft documentation, https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-get-saved-search-by-id saved_search_id=test1234

Human Readable Output#

Saved search test1234 properties#

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testtestSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-create-or-update-saved-search#


Creates or updates a saved search from the Log Analytics workspace.

Base Command#

azure-log-analytics-create-or-update-saved-search

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required
etagThe ETag of the saved search. This argument is required for updating an existing saved search.Optional
categoryThe category of the saved search. This helps users quickly find a saved search.Required
display_nameThe display name of the saved search.Required
function_aliasThe function alias if the query serves as a function.Optional
function_parametersThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax, refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.Optional
queryThe query expression for the saved search.Required
tagsThe tags attached to the saved search. Value should be in the following format: 'name=value;name=value'.Optional
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax, refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-create-or-update-saved-search saved_search_id="test1234" category="test" display_name="new display name test" query=`SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")

Human Readable Output#

Saved search test1234 properties#

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testnew display name testSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-delete-saved-search#


Deletes a specified saved search in the Log Analytics workspace.

Base Command#

azure-log-analytics-delete-saved-search

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional

Context Output#

There is no context output for this command.

Command Example#

!azure-log-analytics-delete-saved-search saved_search_id=test1234

Human Readable Output#

Successfully deleted the saved search test1234.

azure-log-analytics-generate-login-url#


Generate the login url used for Authorization code flow.

Base Command#

azure-log-analytics-generate-login-url

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

azure-log-analytics-generate-login-url

Human Readable Output#

Authorization instructions#

  1. Click on the login URL to sign in and grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  2. Copy the AUTH_CODE (without the “code=” prefix, and the session_state parameter) and paste it in your instance configuration under the Authorization code parameter.

azure-log-analytics-subscriptions-list#


List all subscriptions for a tenant.

Base Command#

azure-log-analytics-subscriptions-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
AzureLogAnalytics.Subscription.authorizationSourceStringThe authorization source of the request.
AzureLogAnalytics.Subscription.displayNameStringThe subscription display name.
AzureLogAnalytics.Subscription.idStringThe fully qualified ID for the subscription. For example, /subscriptions/8d65815f-a5b6-402f-9298-045155da7d74.
AzureLogAnalytics.Subscription.managedByTenantsUnknownAn array containing the tenants managing the subscription.
AzureLogAnalytics.Subscription.stateUnknownThe subscription state. Possible values are Enabled, Warned, PastDue, Disabled, and Deleted.
AzureLogAnalytics.Subscription.subscriptionIdStringThe subscription ID.
AzureLogAnalytics.Subscription.subscriptionPoliciesUnknownThe subscription policies.
AzureLogAnalytics.Subscription.tagsObjectThe tags attached to the subscription.
AzureLogAnalytics.Subscription.tenantIdStringThe subscription tenant ID.

azure-log-analytics-workspace-list#


Gets workspaces in a resource group.

Base Command#

azure-log-analytics-workspace-list

Input#

Argument NameDescriptionRequired
subscription_idThe subscription ID. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.workspace.etagStringThe etag of the workspace.
AzureLogAnalytics.workspace.idStringFully qualified resource ID for the resource.
AzureLogAnalytics.workspace.identity.principalIdStringThe principal ID of resource identity.
AzureLogAnalytics.workspace.identity.tenantIdStringThe tenant ID of resource.
AzureLogAnalytics.workspace.identity.typeStringType of managed service identity.
AzureLogAnalytics.workspace.identity.userAssignedIdentities.clientIdStringThe client id of user assigned identity.
AzureLogAnalytics.workspace.identity.userAssignedIdentities.principalIdStringThe principal id of user assigned identity.
AzureLogAnalytics.workspace.locationStringThe geo-location where the resource lives.
AzureLogAnalytics.workspace.nameStringThe name of the resource.
AzureLogAnalytics.workspace.properties.createdDateStringWorkspace creation date.
AzureLogAnalytics.workspace.properties.customerIdStringThis is a read-only property. Represents the ID associated with the workspace.
AzureLogAnalytics.workspace.properties.defaultDataCollectionRuleResourceIdStringThe resource ID of the default Data Collection Rule to use for this workspace.
AzureLogAnalytics.workspace.properties.features.clusterResourceIdStringDedicated LA cluster resourceId that is linked to the workspaces.
AzureLogAnalytics.workspace.properties.features.disableLocalAuthBooleanDisable Non-AAD based Auth.
AzureLogAnalytics.workspace.properties.features.enableDataExportBooleanFlag that indicate if data should be exported.
AzureLogAnalytics.workspace.properties.features.enableLogAccessUsingOnlyResourcePermissionsBooleanFlag that indicate which permission to use - resource or workspace or both.
AzureLogAnalytics.workspace.properties.features.immediatePurgeDataOn30DaysBooleanFlag that describes if we want to remove the data after 30 days.
AzureLogAnalytics.workspace.properties.forceCmkForQueryBooleanIndicates whether customer managed storage is mandatory for query management.
AzureLogAnalytics.workspace.properties.modifiedDateStringWorkspace modification date.
AzureLogAnalytics.workspace.properties.privateLinkScopedResources.resourceIdStringThe full resource Id of the private link scope resource.
AzureLogAnalytics.workspace.properties.privateLinkScopedResources.scopeIdStringThe private link scope unique Identifier.
AzureLogAnalytics.workspace.properties.provisioningStateStringThe provisioning state of the workspace.
AzureLogAnalytics.workspace.properties.publicNetworkAccessForIngestionStringThe network access type for accessing Log Analytics ingestion.
AzureLogAnalytics.workspace.properties.publicNetworkAccessForQueryStringThe network access type for accessing Log Analytics query.
AzureLogAnalytics.workspace.properties.retentionInDaysNumberThe workspace data retention in days. Allowed values are per pricing plan. See pricing tiers documentation for details.
AzureLogAnalytics.workspace.properties.sku.capacityReservationLevelNumberThe capacity reservation level in GB for this workspace, when CapacityReservation sku is selected.
AzureLogAnalytics.workspace.properties.sku.lastSkuUpdateStringlastSkuUpdate
AzureLogAnalytics.workspace.properties.sku.nameStringThe name of the SKU.
AzureLogAnalytics.workspace.properties.workspaceCapping.dailyQuotaGbNumberThe workspace daily quota for ingestion.
AzureLogAnalytics.workspace.properties.workspaceCapping.dataIngestionStatusStringThe status of data ingestion for this workspace.
AzureLogAnalytics.workspace.properties.workspaceCapping.quotaNextResetTimeStringThe time when the quota will be rest.
AzureLogAnalytics.workspace.systemData.createdAtStringThe timestamp of resource creation (UTC).
AzureLogAnalytics.workspace.systemData.createdByStringThe identity that created the resource.
AzureLogAnalytics.workspace.systemData.createdByTypeStringThe type of identity that created the resource.
AzureLogAnalytics.workspace.systemData.lastModifiedAtStringThe timestamp of resource last modification (UTC).
AzureLogAnalytics.workspace.systemData.lastModifiedByStringThe identity that last modified the resource.
AzureLogAnalytics.workspace.systemData.lastModifiedByTypeStringlastModifiedByType
AzureLogAnalytics.workspace.tagsObjectResource tags.
AzureLogAnalytics.workspace.typeStringThe type of the resource.

azure-log-analytics-resource-group-list#


List all resource groups for a subscription.

Base Command#

azure-log-analytics-resource-group-list

Input#

Argument NameDescriptionRequired
subscription_idThe subscription ID. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
limitLimit on the number of resource groups to return. Default is 50.Optional
tagA single tag in the form of '{"Tag Name":"Tag Value"}' to filter the list by.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.ResourceGroup.idStringThe ID of the resource group.
AzureLogAnalytics.ResourceGroup.locationStringThe location of the resource group.
AzureLogAnalytics.ResourceGroup.managedByStringThe ID of the resource that manages this resource group.
AzureLogAnalytics.ResourceGroup.nameStringThe name of the resource group.
AzureLogAnalytics.ResourceGroup.properties.provisioningStateStringThe provisioning state.
AzureLogAnalytics.ResourceGroup.tagsObjectThe tags attached to the resource group.
AzureLogAnalytics.ResourceGroup.typeStringThe type of the resource group.

azure-log-analytics-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

Base Command#

azure-log-analytics-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

azure-log-analytics-run-search-job#


Run a search job to fetch records from large datasets into a new search results table in your workspace.

Base Command#

azure-log-analytics-run-search-job

Input#

Argument NameDescriptionRequired
table_nameThe name of the table to add. Must contain '_SRCH' suffix. Example value: AuditLogs_SRCH.Required
limitMaximum number of records in the result set, up to one million records. Default is 50.Optional
queryLog query written in KQL format to retrieve data. Search job queries must always start with a table name. For the proper syntax, see https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/whereoperatorRequired
start_search_timeStart of the time range to search. The value can either be in minutes, days, weeks, or a simple ISO 8601 format such as "2023-10-31T00:00:00Z". Default is 1 day.Optional
end_search_timeEnd of the time range to search. The value can either be in minutes, days, weeks, or a simple ISO 8601 format such as "2023-10-31T00:00:00Z". Default is now.Optional
timeoutThe timeout in seconds until polling ends. Default is 600.Optional
intervalThe interval in seconds between each poll. Default is 60.Optional
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional
first_runThis argument is used to determine whether the current execution of the command is the initial run. After the command is executed, the argument is updated to 'false.' During polling, the code checks the status only for the first execution. This argument is for a developer, not for a user. Default is True.Optional
hide_polling_outputHide the polling message and only print the final status at the end. This argument is for a developer, not for a user.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.RunSearchJob.TableNameStringTable name.
AzureLogAnalytics.RunSearchJob.QueryStringThe query that was used to create the table.

Command example#

!azure-log-analytics-run-search-job table_name=test_SRCH query=AuditLogs limit=10

Human Readable Output#

The command was sent successfully. You can check the status of the command by running !azure-log-analytics-get-search-job command or wait.

After polling is ending

The test_SRCH table created successfully. In order to get the table, run !azure-log-analytics-execute-query query=test_SRCH

azure-log-analytics-get-search-job#


Gets a Log Analytics workspace table.

Base Command#

azure-log-analytics-get-search-job

Input#

Argument NameDescriptionRequired
table_nameThe name of the table. Example value: AuditLogs_SRCH.Optional
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SearchJob.systemData.createdByStringThe identity that created the resource.
AzureLogAnalytics.SearchJob.systemData.createdAtDateThe timestamp of resource creation (UTC).
AzureLogAnalytics.SearchJob.properties.resultStatistics.progressNumberSearch job completion percentage.
AzureLogAnalytics.SearchJob.properties.resultStatistics.ingestedRecordsNumberThe number of rows that were returned by the search job.
AzureLogAnalytics.SearchJob.properties.resultStatistics.scannedGbNumberAmount of scanned data in the search job.
AzureLogAnalytics.SearchJob.properties.searchResults.queryStringSearch job query.
AzureLogAnalytics.SearchJob.properties.searchResults.descriptionStringSearch job description.
AzureLogAnalytics.SearchJob.properties.searchResults.limitNumberLimit the search job to return up to the specified number of rows.
AzureLogAnalytics.SearchJob.properties.searchResults.startSearchTimeDateThe timestamp to start the search from (UTC).
AzureLogAnalytics.SearchJob.properties.searchResults.endSearchTimeDateThe timestamp to end the search by (UTC).
AzureLogAnalytics.SearchJob.properties.searchResults.sourceTableStringThe table used in the search job.
AzureLogAnalytics.SearchJob.properties.schema.nameStringTable name.
AzureLogAnalytics.SearchJob.properties.schema.tableSubTypeStringThe subtype describes what APIs can be used to interact with the table, and what features are available against it (Any, Classic, DataCollectionRuleBased).
AzureLogAnalytics.SearchJob.properties.schema.tableTypeStringTable's creator.
AzureLogAnalytics.SearchJob.properties.schema.displayNameStringTable display name.
AzureLogAnalytics.SearchJob.properties.schema.descriptionStringTable description.
AzureLogAnalytics.SearchJob.properties.schema.columnsListA list of table custom columns.
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.isHiddenBooleanIs column hidden.
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.nameStringColumn name.
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.typeStringColumn data type (bool, datetime, dynamic, guid, int, long, real, string).
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.dataTypeHintStringColumn data type logical hint (armPath, guid, ip, uri).
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.displayNameStringColumn display name.
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.descriptionStringColumn description.
AzureLogAnalytics.SearchJob.properties.schema.standardColumns.isDefaultDisplayBooleanIs displayed by default.
AzureLogAnalytics.SearchJob.properties.schema.categoriesStringTable category.
AzureLogAnalytics.SearchJob.properties.schema.labelsStringTable labels.
AzureLogAnalytics.SearchJob.properties.schema.sourceStringTable's creator (customer, microsoft).
AzureLogAnalytics.SearchJob.properties.schema.solutionsStringList of solutions the table is affiliated with.
AzureLogAnalytics.SearchJob.properties.provisioningStateStringTable's current provisioning state (Deleting, InProgress, Succeeded, Updating). If set to 'updating', indicates a resource lock due to an ongoing operation, forbidding any update to the table until the ongoing operation is concluded.
AzureLogAnalytics.SearchJob.properties.retentionInDaysNumberThe table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention.
AzureLogAnalytics.SearchJob.properties.totalRetentionInDaysNumberThe table total retention in days, between 4 and 2556. Setting this property to -1 will default to table retention.
AzureLogAnalytics.SearchJob.properties.archiveRetentionInDaysNumberThe table data archive retention in days. Calculated as (totalRetentionInDays-retentionInDays).
AzureLogAnalytics.SearchJob.properties.retentionInDaysAsDefaultBooleanTrue - Value originates from workspace retention in days, False - Customer specific.
AzureLogAnalytics.SearchJob.properties.totalRetentionInDaysAsDefaultBooleanTrue - Value originates from retention in days, False - Customer specific.
AzureLogAnalytics.SearchJob.properties.planStringInstruct the system how to handle and charge the logs ingested to this table.
AzureLogAnalytics.SearchJob.idStringFully qualified resource ID for the resource. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}.
AzureLogAnalytics.SearchJob.nameStringThe name of the resource.

Command example#

!azure-log-analytics-get-search-job table_name=test_SRCH

Context Example#

{
"AzureLogAnalytics": {
"SearchJob": {
"id": "/tables/test_SRCH",
"name": "test_SRCH",
"properties": {
"archiveRetentionInDays": 0,
"createDate": "2023-11-01T21:27:50.3032268Z",
"createdBy": "TEST",
"lastPlanModifiedDate": "2023-11-01T21:27:50.3031023Z",
"plan": "Analytics",
"provisioningState": "InProgress",
"resultStatistics": {
"ingestedRecords": 0,
"progress": 0,
"scannedGb": 0
},
"retentionInDays": 30,
"retentionInDaysAsDefault": true,
"schema": {
"columns": [
{
"isDefaultDisplay": false,
"isHidden": false,
"name": "_OriginalTenantId",
"type": "string"
},
{
"isDefaultDisplay": false,
"isHidden": false,
"name": "SourceSystem",
"type": "string"
}
],
"isTroubleshootingAllowed": false,
"name": "test_SRCH",
"solutions": [
"LogManagement"
],
"standardColumns": [
{
"isDefaultDisplay": false,
"isHidden": false,
"name": "TenantId",
"type": "guid"
}
],
"tableSubType": "DataCollectionRuleBased",
"tableType": "SearchResults"
},
"searchResults": {
"azureAsyncOperationId": "TEST",
"description": "This table was created using a Search Job with the following query: 'AuditLogs'.",
"endSearchTime": "2023-11-01T21:27:43.744Z",
"limit": 10,
"query": "AuditLogs",
"sourceTable": "AuditLogs",
"startSearchTime": "2023-10-31T21:27:43.735Z"
},
"totalRetentionInDays": 30,
"totalRetentionInDaysAsDefault": true
},
"systemData": {
"createdAt": "2023-11-01T21:27:50.3032268Z",
"createdBy": "TEST",
"createdByType": null,
"lastModifiedAt": null,
"lastModifiedBy": null,
"lastModifiedByType": null
}
}
}
}

Human Readable Output#

Search Job#

Create DateDescriptionNamePlanQueryendSearchTimeprovisioningStatestartSearchTime
2023-11-02T17:28:22.9374877ZThis table was created using a Search Job with the following query: 'AuditLogs'.test_SRCHAnalyticsAuditLogs2023-11-02T17:28:18.602ZInProgress2023-11-01T17:28:18.592Z

azure-log-analytics-delete-search-job#


Delete a Log Analytics workspace table. We recommend you delete the search job when you're done querying the table. This reduces workspace clutter and extra charges for data retention.

Base Command#

azure-log-analytics-delete-search-job

Input#

Argument NameDescriptionRequired
table_nameThe name of the table. Must contain '_SRCH' suffix. Example value: AuditLogs_SRCH.Optional
subscription_idThe subscription ID to use. Note: This argument will override the instance parameter 'Default Subscription ID'.Optional
resource_group_nameThe name of the resource group within the user's subscription. Note: This argument will override the instance parameter 'Default Resource Group Name'.Optional
workspace_nameThe name of the resource group. Note: This argument will override the instance parameter 'Default Workspace Name'.Optional

Context Output#

There is no context output for this command.

Command example#

!azure-log-analytics-delete-search-job table_name=test_SRCH

Human Readable Output#

Search job test_SRCH deleted successfully.