Azure Log Analytics 2.0.0
App Vendor: Microsoft
App Category: Analytics & SIEM
Connector Version: 2.0.1
API Version: 1.0.0
About App
The Azure Log Analytics app enables security analysts to collect and analyze data generated by resources in the cloud and on-premise environments.
The Azure Log Analytics app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Execute Query | This action executes an analytics query. |
Get Saved Search Details | This action retrieves the details of a specific saved search. |
List Saved Searches by Workspace | This action retrieves a list of saved searches by workspaces. |
Generic Action | This is a generic action used to make requests to any Azure Log Analytics endpoint. |
Configuration Parameters
The following configuration parameters are required for the Azure Log Analytics app to communicate with the Azure Log Analytics enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client ID | Enter the client ID for authentication. | Text | Required | |
Client Secret | Enter the client secret for authentication. | Password | Required | |
Tenant ID | Enter the tenant ID. | Text | Required | |
Base URL | Enter the custom base URL to access Azure Log Analytics. | Text | Optional | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Azure Log Analytics. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Execute Query
This action executes an analytics query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Workspace ID | Enter the workspace ID. Example: 63613592-b6f7-4c3d-a390-22ba13102111 | Text | Required | |
Query | Enter the query text that you want to execute. Example: union * | where timegenerated > ago(1h) by type, tenantid | Text | Required | |
Workspaces | Enter the list of the workspaces. Example: $LIST[azurepoc-workspace] | List | Required | |
Timespan | Enter the timespan in ISO 8601 format. Example: PT12H | Text | Optional |
Example Request
[
{
"query": "CCFApplicationLogs | where Level == \"fail\"\n| sort by TimeGenerated desc\n| limit 100",
"workspaces": [
"azurepoc-workspace"
],
"workspace_id": "e44974c8-4b77-4323-aa4e-4c88ccabacc8"
}
]Action: Get Saved Search Details
This action retrieves the details of a specific saved search.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the subscription ID. Example: 9677ae65-e240-48aa-b929-13d57393b8c9 | Text | Required | |
Resource Group Name | Enter the resource group name. Example: azurepoc | Text | Required | |
Workspace Name | Enter the workspace name. Example: azurepoc-workspace | Text | Required | |
Saved Search ID | Enter the saved search ID to retrieve the details. Example: 543bdc75-c26e-4c77-b77b-1b066d17f58d | Text | Required | You can retrieve this using the action List Saved Searches by Workspace. |
API Version | Enter the API version. | Text | Optional | Default: 2023-09-01 |
Base URL | Enter the custom base URL to perform this action. | Text | Optional |
Example Request
[
{
"workspace_name": "azurepoc-workspace",
"saved_search_id": "543bdc75-c26e-4c77-b77b-1b066d17f58d",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc"
}
]Action: List Saved Searches by Workspace
This action retrieves a list of saved searches by workspaces.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Subscription ID | Enter the subscription ID. Example: 9677ae65-e240-48aa-b929-13d57393b8c9 | Text | Required | |
Resource Group Name | Enter the resource group name. Example: azurepoc | Text | Required | |
Workspace Name | Enter the workspace name. Example: azurepoc-workspace | Text | Required | |
API Version | Enter the API version. | Text | Optional | Default value: 2023-09-01 |
Base URL | Enter the custom base URL to perform the action. | Text | Optional |
Example Request
[
{
"workspace_name": "azurepoc-workspace",
"subscription_id": "9677ae65-e240-48aa-b929-13d57393b8c9",
"resource_group_name": "azurepoc",
"api_version": "2020-08-01"
}
]Action: Generic Action
This is a generic action used to make requests to any Azure Log Analytics endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to make the request. Example: GET | Text | Required | Allowed values: GET, PUT, POST, PATCH, DELETE |
Endpoint | Enter the endpoint to make the request to. Example: /{resourceId}/query?query={query} | Text | Required | |
Custom Base URL | Enter the custom base URL to perform this action. | Text | Optional | |
Payload | Enter the payload to pass to the API. Example: $JSON[{"data": [{"reason": "test"}]}] | Any | Optional | |
Query Params | Enter the query parameters to pass to the API. Example: {"limit": "10"} | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_data, custom_output, download, filename, files, retry_wait, retry_count, response_type |
Example Request
[
{
"method": "GET",
"endpoint": "/{resourceId}/query?query={query}",
"query_params": {
"page": "0",
"size": "100"
}
]