Azure Log Analytics (Beta)

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments. This integration was integrated and tested with version 2020-03-01-preview of Azure Log Analytics

Authorize Cortex XSOAR for Azure Log Analytics#

You need to grant Cortex XSOAR authorization to access Azure Log Analytics.

  1. Access the authorization flow.
  2. Click the Start Authorization Process button and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management.
  3. Click the Accept button and you will receive your ID, token, and key. You will need to enter these when you configure the Azure Log Analytics integration instance in Cortex XSOAR.

Authorize Cortex XSOAR for Azure Log Analytics (self-deployed configuration)#

Follow these steps for a self-deployed configuration.

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article.
  2. Make sure the following permissions are granted for the app registration:
    • Azure Service Management - permission user_impersonation of type Delegated
    • Log Analytics API - permission Data.Read of type Delegated
  3. Copy the following URL and replace the CLIENT_ID and REDIRECT_URI with your own client ID and redirect URI, accordingly. https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&resource=https://management.core.windows.net&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
  4. Enter the link and you will be prompted to grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  5. Copy the AUTH_CODE (without the “code=” prefix) and paste it in your instance configuration under the Authorization code parameter.
  6. Enter your client ID in the ID parameter.
  7. Enter your client secret in the Key parameter.
  8. Enter your tenant ID in the Token parameter.
  9. Enter your redirect URI in the Redirect URI parameter.

Get the additional instance parameters#

To get the Subscription ID, Workspace Name, Workspace ID and Resource Group parameters, navigate in the Azure Portal to Azure Sentinel > YOUR-WORKSPACE > Settings and click on Workspace Settings tab.

Configure Azure Log Analytics on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Azure Log Analytics.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
auth_idID (received from the authorization step - see Detailed Instructions (?) section)True
refresh_tokenToken (received from the authorization step - see Detailed Instructions (?) section)True
enc_keyKey (received from the authorization step - see Detailed Instructions (?) section)True
self_deployedUse a self-deployed Azure applicationFalse
redirect_uriApplication redirect URI (for self-deployed mode)False
auth_codeAuthorization code (received from the authorization step - see Detailed Instructions (?) section)False
subscriptionIDSubscription IDTrue
resourceGroupNameResource Group NameTrue
workspaceNameWorkspace NameTrue
workspaceIDWorkspace ID (the UUID of the workspace, e.g. 123e4567-e89b-12d3-a456-426614174000)True
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-log-analytics-execute-query#


Executes an Analytics query for data.

Base Command#

azure-log-analytics-execute-query

Input#

Argument NameDescriptionRequired
queryThe query to execute.Required
timespanThe timespan over which to query data. This is an ISO8601 time period value. This timespan is applied in addition to any timespans specified in the query expression.Optional
timeoutThe amount of time (in seconds) that a request will wait for the query response before a timeout occurs.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.Query.QueryStringThe executed query.
AzureLogAnalytics.Query.TableNameStringThe name of the query table.

Command Example#

!azure-log-analytics-execute-query query="Usage | take 10" workspace_id=WORKSPACE_ID

Human Readable Output#

Query Results#

PrimaryResult#

Tenant IdComputerTime GeneratedSource SystemStart TimeEnd TimeResource UriData TypeSolutionBatches Within SlaBatches Outside SlaBatches CappedTotal BatchesAvg Latency In SecondsQuantityQuantity UnitIs BillableMeter IdLinked Meter IdType
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOperationLogManagement000000.00714MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T04:00:00ZOMS2020-07-30T03:00:00Z2020-07-30T04:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.012602MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMEOfficeActivityOffice365/SecurityInsights000000.00201499908978072MBytesfalseMETER_ID00000000-0000-0000-0000-000000000000Usage
TENANT_IDDeprecated field: see http://aka.ms/LA-Usage2020-07-30T05:00:00ZOMS2020-07-30T04:00:00Z2020-07-30T05:00:00Z/subscriptions/SUBSCRIPTION_ID/resourcegroups/RESOURCE_GROUP/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAMESigninLogsLogManagement000000.009107MBytestrueMETER_ID00000000-0000-0000-0000-000000000000Usage

azure-log-analytics-list-saved-searches#


Gets the saved searches of the Log Analytics workspace.

Base Command#

azure-log-analytics-list-saved-searches

Input#

Argument NameDescriptionRequired
limitThe maximum number of saved searches to return. Default is 50.Optional
pageThe page number from which to start a search.Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringDisplay name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-list-saved-searches limit=3

Human Readable Output#

Saved searches#

EtagIdCategoryDisplay NameFunction AliasFunction ParametersQueryTagsVersionType
W/"datetime'2020-07-05T13%3A38%3A41.053438Z'"test2category1test2heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-28T18%3A43%3A56.8625448Z'"test123Saved Search Test Categorytest123heartbeat_funca:int=1Heartbeat | summarize Count() by Computer | take a{'name': 'Group', 'value': 'Computer'}2Microsoft.OperationalInsights/savedSearches
W/"datetime'2020-07-30T11%3A41%3A35.1459664Z'"test1234testtestSecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")
2Microsoft.OperationalInsights/savedSearches

azure-log-analytics-get-saved-search-by-id#


Gets the specified saved search from the Log Analytics workspace.

Base Command#

azure-log-analytics-get-saved-search-by-id

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax see the Microsoft documention, https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-get-saved-search-by-id saved_search_id=test1234

Human Readable Output#

Saved search test1234 properties#

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testtestSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-create-or-update-saved-search#


Creates or updates a saved search from the Log Analytics workspace.

Base Command#

azure-log-analytics-create-or-update-saved-search

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required
etagThe ETag of the saved search. This argument is required for updating an existing saved search.Optional
categoryThe category of the saved search. This helps users quickly find a saved search.Required
display_nameThe display name of the saved search.Required
function_aliasThe function alias if the query serves as a function.Optional
function_parametersThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions.Optional
queryThe query expression for the saved search.Required
tagsThe tags attached to the saved search. Value should be in the following format: 'name=value;name=value'Optional

Context Output#

PathTypeDescription
AzureLogAnalytics.SavedSearch.idStringThe ID of the saved search.
AzureLogAnalytics.SavedSearch.etagStringThe ETag of the saved search.
AzureLogAnalytics.SavedSearch.categoryStringThe category of the saved search. This helps users quickly find a saved search.
AzureLogAnalytics.SavedSearch.displayNameStringThe display name of the saved search.
AzureLogAnalytics.SavedSearch.functionAliasStringThe function alias if the query serves as a function.
AzureLogAnalytics.SavedSearch.functionParametersStringThe optional function parameters if the query serves as a function. Value should be in the following format: 'param-name1:type1 = default_value1, param-name2:type2 = default_value2'. For more examples and proper syntax please refer to https://docs.microsoft.com/en-us/azure/kusto/query/functions/user-defined-functions
AzureLogAnalytics.SavedSearch.queryStringThe query expression for the saved search.
AzureLogAnalytics.SavedSearch.tagsStringThe tags attached to the saved search.
AzureLogAnalytics.SavedSearch.versionNumberThe version number of the query language. The current version and default is 2.
AzureLogAnalytics.SavedSearch.typeStringThe resource type, e.g., Microsoft.Compute/virtualMachines or Microsoft.Storage/storageAccounts.

Command Example#

!azure-log-analytics-create-or-update-saved-search saved_search_id="test1234" category="test" display_name="new display name test" query=`SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| where SystemAlertId in("TEST_SYSTEM_ALERT_ID")

Human Readable Output#

Saved search test1234 properties#

EtagIdCategoryDisplay NameQueryVersion
W/"datetime'2020-07-30T12%3A21%3A05.3197505Z'"test1234testnew display name testSecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("TEST_SYSTEM_ALERT_ID")2

azure-log-analytics-delete-saved-search#


Deletes a specified saved search in the Log Analytics workspace.

Base Command#

azure-log-analytics-delete-saved-search

Input#

Argument NameDescriptionRequired
saved_search_idThe ID of the saved search.Required

Context Output#

There is no context output for this command.

Command Example#

!azure-log-analytics-delete-saved-search saved_search_id=test1234

Human Readable Output#

Successfully deleted the saved search test1234.

azure-log-analytics-test#


Tests connectivity to Azure Log Analytics.

Base Command#

azure-log-analytics-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-log-analytics-test

Human Readable Output#

✅ Success!