Skip to main content

Azure Log Analytics

This Integration is part of the Azure Log Analytics Pack.#

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments. This integration was integrated and tested with version 2021-06-01 of Azure Log Analytics.

Authorize Cortex XSOAR for Azure Log Analytics#

You need to grant Cortex XSOAR authorization to access Azure Log Analytics.

Note: The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). Any of the following Azure AD roles include the required permissions:

  • Application administrator
  • Application developer
  • Cloud application administrator

In addition, the user needs to be assigned the Log Analytics Reader role. To add the role, see the Microsoft article.

  1. Access the authorization flow.
  2. Click Start Authorization Process. You will be prompted to grant Cortex XSOAR permissions for your Azure Service Management.
  3. Click Accept. You will receive your ID, token, and key. You need to enter these when you configure the Azure Log Analytics integration instance in Cortex XSOAR.

Authorize Cortex XSOAR for Azure Log Analytics (Self-Deployed Configuration)#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, see the Microsoft article.

Required permissions#

  • Azure Service Management - permission user_impersonation of type Delegated
  • Log Analytics API - permission Data.Read of type Delegated

In the self-deployed mode you can authenticate, by using one of the following flows:

  • Authentication code flow
  • Client Credentials flow

Authentication Code flow#


  1. Enter your client ID in the ID\Client ID parameter (credentials username).
  2. Enter your client secret in the password parameter (credentials password).
  3. Enter your tenant ID in the Token parameter.
  4. Enter your redirect URI in the Redirect URI parameter.
  5. Save the integration settings.
  6. Run the !azure-log-analytics-generate-login-url command in the War Room and follow the instruction.

Authorize Cortex XSOAR for Azure Log Analytics (Client-Credentials Configuration)#


Follow these steps for client-credentials configuration.

  1. In the instance configuration, select the client-credentials checkbox.
  2. Enter your Client ID in the ID/Client ID parameter (credentials username).
  3. Enter your Client Secret in the password parameter (credentials password).
  4. Enter your Tenant ID in the Tenant ID parameter.
  5. Run the azure-log-analytics-test command to test the connection and the authorization process.
  6. Enter your redirect URI in the Redirect URI parameter.

Get the additional instance parameters#

To get the Subscription ID, Workspace Name, Workspace ID and Resource Group parameters, navigate in the Azure Portal to Azure Sentinel > YOUR-WORKSPACE > Settings and click the Workspace Settings tab.

Configure Azure Log Analytics on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Azure Log Analytics.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
credentials - identifierID\Client ID (received from the authorization step or from the self-deployed configuration process - see Detailed Instructions (?) section)True
refresh_tokenToken\tenant_id (received from the authorization step or from the self-deployed configuration process - see Detailed Instructions (?) section)True
credentials - passwordKey\Client secret (received from the authorization step - see Detailed Instructions (?) section)False
Certificate ThumbprintUsed for certificate authentication. As appears in the "Certificates & secrets" page of the app.False
Private KeyUsed for certificate authentication. The private key of the registered certificate.False
Use Azure Managed IdentitiesRelevant only if the integration is running on Azure VM. If selected, authenticates based on the value provided for the Azure Managed Identities Client ID field. If no value is provided for the Azure Managed Identities Client ID field, authenticates based on the System Assigned Managed Identity. For additional information, see the Help tab.False
Azure Managed Identities Client IDThe Managed Identities client ID for authentication - relevant only if the integration is running on Azure VM.False
self_deployedUse a self-deployed Azure application.False
Use Client Credentials Authorization FlowUse a self-deployed Azure application and authenticate using the Client Credentials flow.False
redirect_uriApplication redirect URI (for self-deployed mode)False
auth_codeAuthorization code (received from the authorization step - see Detailed Instructions (?) section)False
subscriptionIDSubscription IDTrue
resourceGroupNameResource Group NameTrue
workspaceNameWorkspace NameTrue
workspaceIDWorkspace ID (the UUID of the workspace, e.g., 123e4567-e89b-12d3-a456-426614174000)True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-log-analytics-execute-query#


Executes an Analytics query for data.

Base Command#

azure-log-analytics-execute-query

Input#

Argument NameDescriptionRequired
queryThe query to execute.Required
timespanThe timespan over which to query data. This is an ISO8601 time period value. This timespan is applied in addition to any timespans specified in the query expression.Optional
timeoutThe amount of time (in seconds) that a request will wait for the query response before a timeout occurs.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.Query.QueryStringThe executed query.
AzureLogAnalytics.Query.TableNameStringThe name of the query table.

Command Example#

!azure-log-analytics-execute-query query="Usage | take 10" workspace_id=WORKSPACE_ID

Human Readable Output#

Query Results#

PrimaryResult#

Tenant IdComputerTime GeneratedSource SystemStart TimeEnd TimeResource UriData TypeSolutionBatches Within SlaBatches Outside SlaBatches CappedTotal BatchesAvg Latency In SecondsQuantityQuantity UnitIs BillableMeter IdLinked Meter IdType
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOperationLogManagement000000.00714MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.012602MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOfficeActivityOffice365/SecurityInsights000000.00201499908978072MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.009107MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage

azure-log-analytics-list-saved-searches#


Gets the saved searches of the Log Analytics workspace.

Base Command#

azure-log-analytics-list-saved-searches

Input#

Argument NameDescriptionRequired
limitThe maximum number of saved searches to return. Default is 50.Optional
pageThe page number from which to start a search.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringDisplay name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-list-saved-searches limit=3

Human Readable Output#

Saved searches#

EtagIdCategoryDisplay NameFunction AliasFunction ParametersQueryTagsVersionType
W/"datetime'2020-07-05T13%3A38%3A41.053438Z'"test2category1test2heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-28T18%3A43%3A56.8625448Z'"test123Saved Search Test Categorytest123heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-30T11%3A41%3A35.1459664Z'"test1234testtestSecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")
2Microsoft.OperationalInsights/savedSearches

azure-log-analytics-get-saved-search-by-id#


Gets the specified saved search from the Log Analytics workspace.

Base Command#

azure-log-analytics-get-saved-search-by-id

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax see the Microsoft documention, https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-get-saved-search-by-id saved_search_id=test1234

Human Readable Output#

Saved search test1234 properties#

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testtestSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-create-or-update-saved-search#


Creates or updates a saved search from the Log Analytics workspace.

Base Command#

azure-log-analytics-create-or-update-saved-search

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required
etagThe ETag of the saved search. This argument is required for updating an existing saved search.Optional
categoryThe category of the saved search. This helps users quickly find a saved search.Required
display_nameThe display name of the saved search.Required
function_aliasThe function alias if the query serves as a function.Optional
function_parametersThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.Optional
queryThe query expression for the saved search.Required
tagsThe tags attached to the saved search. Value should be in the following format: 'name=value;name=value'Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-create-or-update-saved-search saved_search_id="test1234" category="test" display_name="new display name test" query=`SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")

Human Readable Output#

Saved search test1234 properties#

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testnew display name testSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-delete-saved-search#


Deletes a specified saved search in the Log Analytics workspace.

Base Command#

azure-log-analytics-delete-saved-search

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-log-analytics-delete-saved-search saved_search_id=test1234

Human Readable Output#

Successfully deleted the saved search test1234.

azure-log-analytics-test#


Tests connectivity to Azure Log Analytics.

Base Command#

azure-log-analytics-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-log-analytics-test

Human Readable Output#

✅ Success!

azure-log-analytics-generate-login-url#


Generate the login url used for Authorization code flow.

Base Command#

azure-log-analytics-generate-login-url

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

azure-log-analytics-generate-login-url

Human Readable Output#

Authorization instructions#

  1. Click on the login URL to sign in and grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  2. Copy the AUTH_CODE (without the “code=” prefix, and the session_state parameter) and paste it in your instance configuration under the Authorization code parameter.