Azure Log Analytics

Azure Log Analytics v1.0.0

Home FortiSOAR Connectors Azure Log Analytics

1.0.0

Azure Log Analytics v1.0.0

About the connector

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.

This document provides information about the Azure Log Analytics Connector, which facilitates automated interactions with an Azure Log Analytics service-based URI using FortiSOAR™ playbooks. Add the Azure Log Analytics Connector as a step in FortiSOAR™ playbooks and perform automated operations related to query and saved searches with Azure Log Analytics.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Accessing the Azure Log Analytics API

Your application needs to be both authenticated and authorized to access the Azure Log Analytics API. The REST APIs of Azure Log Analytics allow you to run queries in Azure Log Analytics and also perform operations such as retrieve, create, update, and delete saved searches in Azure Log Analytics.

The following configuration parameters are required to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.

Client ID
Client Secret
Tenant ID
Redirect URI

The following configuration parameter is required to authorize the Azure Log Analytics connector with the Azure Log Analytics API.

Authorization Code

You can follow the steps below to secure the authentication and authorization codes in order to access the Azure Log Analytics API:

Register your client application with Azure Active Directory (AD). See Register your client application for more information.
Now that you have registered the application in Azure AD, you will have access to the following authentication codes: client ID, tenant ID, redirect URI, and client secret (after registering the app in Azure AD, you can generate the client secret.)
Make a note of these authentication codes. In the Configurations tab of the connector, enter the authentication details in the following fields in order to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
- In the Client ID field, enter the client ID.
- In the Client Secret field, enter the client secret.
- In the Tenant ID field, enter the tenant ID.
- In the Redirect URL field, enter the redirect URI. By default, the redirect URI is set to https://localhost/myapp.
Now that you have the authentication codes, you can use them to generate the authorization code.
Ensure that the registered application has Azure Service Management listed in the API Permissions list with Delegated permissions for user_impersonation.
Copy the following URL into a browser and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with the tenant ID, client ID, and redirect URI that are generated at the time of registering the application: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=https://management.azure.com/user_impersonation offline_access user.read&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
In the event you have not been granted the required permissions to your registered application, the link you entered in the preceding step will prompt you to grant Delegated permissions for user_impersonation in the Azure Service Management API. If you have already granted the permissions, you will not be prompted again.
Next, you will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE. Copy the AUTH_CODE, and in the Configurations tab of the connector, paste the AUTH_CODE in the Authorization Code field.

The process to access the Azure Log Analytics API is now complete.

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-azure-log-analytics

Prerequisites to configuring the connector

You must have the server-based URI of the Azure Log Analytics server to which you will connect and perform automated operations. You will also need the credentials to access the server as specified in Configuration Parameters.
The FortiSOAR™ server should have outbound connectivity to port 443 on the Azure Log Analytics server.

Minimum Permissions Required

Not applicable.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Azure Log Analytics connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:

Parameter	Description
Server URL	The service-based URI to which you will connect and perform the automated operations.
Client ID	Unique API ID of the Azure AD application that is used to create an authentication token required to access the API.
Client Secret	Unique API Secret of the Azure AD application that is used to create an authentication token required to access the API.
Tenant ID	ID of the tenant that you have been provided for your Azure Active Directory instance.
Authorization Code	The authorization code that you acquired during the authorization step. For more information, see Accessing the Azure Log Analytics API.
Redirect URL	The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the `redirect_uri` you registered in the app registration portal.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Execute Query	Retrieves data using a specific query from Azure Log Analytics based on the workspace ID and query that you have specified.	execute_query Investigation
List Saved Searches	Retrieves the list of saved searches from Azure Log Analytics based on workspace resource group, workspace subscription ID, and workspace name you have specified.	list_saved_searches Investigation
Get Saved Searches	Retrieves information for a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified.	get_saved_searches Investigation
Create Saved Searches	Creates a saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified.	create_saved_searches Investigation
Update Saved Searches	Updates an existing saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified.	update_saved_searches Investigation
Delete Saved Search	Deletes a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified.	delete_saved_search Investigation

operation: Execute Query

Input parameters

Parameter	Description
Workspace ID	ID of the Azure Log Analytics workspace from which you want to retrieve data.
Query	Query using which you want to retrieve data from Azure Log Analytics.
TimeSpan	(Optional) Timespan over which you want to query for data in Azure Log Analytics. This is an ISO8601 time period value. This timespan is applied in addition to any timespans. which have been specified in the query expression.
Workspace Name	(Optional) Name of the Azure Log Analytics workspace from which you want to retrieve data.

Output

The output contains the following populated JSON schema:
{
"tables": [
{
"name": "",
"columns": [],
"rows": []
}
]
}

operation: List Saved Searches

Input parameters

Parameter	Description
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group from which you want to retrieve the saved searches.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace from which you want to retrieve the saved searches.
Workspace Name	Name of the Azure Log Analytics workspace from which you want to retrieve the saved searches.

Output

The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"Category": "",
"DisplayName": "",
"Query": "",
"Tags": [],
"Version": ""
}
}

operation: Get Saved Searches

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to retrieve from Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group from which you want to retrieve the specified saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace from which you want to retrieve the specified saved search.
Workspace Name	Name of the Azure Log Analytics workspace from which you want to retrieve the specified saved search.

Output

The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}

operation: Create Saved Searches

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to create in Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group in which you want to create the saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace in which you want to create the saved search.
Workspace Name	Name of the Azure Log Analytics workspace in which you want to create the saved search.
Category	Category to assign to the saved search that you want to create in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics.
Display Name	Display Name of the saved search that you want to create in Azure Log Analytics.
Query	Query Expression for the saved search that you want to create in Azure Log Analytics.
ETag	(Optional) Etag in which you want to create the saved search in Azure Log Analytics.
Additional Fields	(Optional) Additional fields to assign to the saved search that you want to create in Azure Log Analytics.

Output

operation: Update Saved Searches

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to update in Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group in which you want to update the saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace in which you want to update the saved search.
Workspace Name	Name of the Azure Log Analytics workspace in which you want to update the saved search.
Category	Category to assign to the saved search that you want to update in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics.
Display Name	Display Name of the saved search that you want to update in Azure Log Analytics.
Query	Query Expression for the saved search that you want to update in Azure Log Analytics.
ETag	(Optional) Etag in which you want to update the saved search in Azure Log Analytics.
Additional Fields	(Optional) Additional fields to assign to the saved search that you want to update in Azure Log Analytics.

Output

operation: Delete Saved Search

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to delete from Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group from which you want to delete the saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace from which you want to delete the saved search.
Workspace Name	Name of the Azure Log Analytics workspace from which you want to delete the saved search.

Output

The output contains the following populated JSON schema:
{
"result": ""
}

Included playbooks

The Sample - Azure Log Analytics - 1.0.0 playbook collection comes bundled with the Azure Log Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR^TM after importing the Azure Log Analytics connector.

Create Saved Searches
Delete Saved Search
Execute Query
Get Saved Searches
List Saved Searches
Update Saved Searches

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

About the connector

Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Accessing the Azure Log Analytics API

The following configuration parameters are required to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.

Client ID
Client Secret
Tenant ID
Redirect URI

The following configuration parameter is required to authorize the Azure Log Analytics connector with the Azure Log Analytics API.

Authorization Code

You can follow the steps below to secure the authentication and authorization codes in order to access the Azure Log Analytics API:

Register your client application with Azure Active Directory (AD). See Register your client application for more information.
Now that you have registered the application in Azure AD, you will have access to the following authentication codes: client ID, tenant ID, redirect URI, and client secret (after registering the app in Azure AD, you can generate the client secret.)
Make a note of these authentication codes. In the Configurations tab of the connector, enter the authentication details in the following fields in order to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
- In the Client ID field, enter the client ID.
- In the Client Secret field, enter the client secret.
- In the Tenant ID field, enter the tenant ID.
- In the Redirect URL field, enter the redirect URI. By default, the redirect URI is set to https://localhost/myapp.
Now that you have the authentication codes, you can use them to generate the authorization code.
Ensure that the registered application has Azure Service Management listed in the API Permissions list with Delegated permissions for user_impersonation.
Copy the following URL into a browser and replace the TENANT_ID, CLIENT_ID, and REDIRECT_URI with the tenant ID, client ID, and redirect URI that are generated at the time of registering the application: https://login.microsoftonline.com/TENANT_ID/oauth2/v2.0/authorize?response_type=code&scope=https://management.azure.com/user_impersonation offline_access user.read&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI
In the event you have not been granted the required permissions to your registered application, the link you entered in the preceding step will prompt you to grant Delegated permissions for user_impersonation in the Azure Service Management API. If you have already granted the permissions, you will not be prompted again.
Next, you will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE. Copy the AUTH_CODE, and in the Configurations tab of the connector, paste the AUTH_CODE in the Authorization Code field.

The process to access the Azure Log Analytics API is now complete.

Installing the connector

yum install cyops-connector-azure-log-analytics

Prerequisites to configuring the connector

You must have the server-based URI of the Azure Log Analytics server to which you will connect and perform automated operations. You will also need the credentials to access the server as specified in Configuration Parameters.
The FortiSOAR™ server should have outbound connectivity to port 443 on the Azure Log Analytics server.

Minimum Permissions Required

Not applicable.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

Parameter	Description
Server URL	The service-based URI to which you will connect and perform the automated operations.
Client ID	Unique API ID of the Azure AD application that is used to create an authentication token required to access the API.
Client Secret	Unique API Secret of the Azure AD application that is used to create an authentication token required to access the API.
Tenant ID	ID of the tenant that you have been provided for your Azure Active Directory instance.
Authorization Code	The authorization code that you acquired during the authorization step. For more information, see Accessing the Azure Log Analytics API.
Redirect URL	The redirect_uri of your app, where authentication responses can be sent and received by your app. It must exactly match one of the `redirect_uri` you registered in the app registration portal.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function	Description	Annotation and Category
Execute Query	Retrieves data using a specific query from Azure Log Analytics based on the workspace ID and query that you have specified.	execute_query Investigation
List Saved Searches	Retrieves the list of saved searches from Azure Log Analytics based on workspace resource group, workspace subscription ID, and workspace name you have specified.	list_saved_searches Investigation
Get Saved Searches	Retrieves information for a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified.	get_saved_searches Investigation
Create Saved Searches	Creates a saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified.	create_saved_searches Investigation
Update Saved Searches	Updates an existing saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified.	update_saved_searches Investigation
Delete Saved Search	Deletes a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified.	delete_saved_search Investigation

operation: Execute Query

Input parameters

Parameter	Description
Workspace ID	ID of the Azure Log Analytics workspace from which you want to retrieve data.
Query	Query using which you want to retrieve data from Azure Log Analytics.
TimeSpan	(Optional) Timespan over which you want to query for data in Azure Log Analytics. This is an ISO8601 time period value. This timespan is applied in addition to any timespans. which have been specified in the query expression.
Workspace Name	(Optional) Name of the Azure Log Analytics workspace from which you want to retrieve data.

Output

The output contains the following populated JSON schema:
{
"tables": [
{
"name": "",
"columns": [],
"rows": []
}
]
}

operation: List Saved Searches

Input parameters

Parameter	Description
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group from which you want to retrieve the saved searches.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace from which you want to retrieve the saved searches.
Workspace Name	Name of the Azure Log Analytics workspace from which you want to retrieve the saved searches.

Output

The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"Category": "",
"DisplayName": "",
"Query": "",
"Tags": [],
"Version": ""
}
}

operation: Get Saved Searches

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to retrieve from Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group from which you want to retrieve the specified saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace from which you want to retrieve the specified saved search.
Workspace Name	Name of the Azure Log Analytics workspace from which you want to retrieve the specified saved search.

Output

operation: Create Saved Searches

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to create in Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group in which you want to create the saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace in which you want to create the saved search.
Workspace Name	Name of the Azure Log Analytics workspace in which you want to create the saved search.
Category	Category to assign to the saved search that you want to create in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics.
Display Name	Display Name of the saved search that you want to create in Azure Log Analytics.
Query	Query Expression for the saved search that you want to create in Azure Log Analytics.
ETag	(Optional) Etag in which you want to create the saved search in Azure Log Analytics.
Additional Fields	(Optional) Additional fields to assign to the saved search that you want to create in Azure Log Analytics.

Output

operation: Update Saved Searches

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to update in Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group in which you want to update the saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace in which you want to update the saved search.
Workspace Name	Name of the Azure Log Analytics workspace in which you want to update the saved search.
Category	Category to assign to the saved search that you want to update in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics.
Display Name	Display Name of the saved search that you want to update in Azure Log Analytics.
Query	Query Expression for the saved search that you want to update in Azure Log Analytics.
ETag	(Optional) Etag in which you want to update the saved search in Azure Log Analytics.
Additional Fields	(Optional) Additional fields to assign to the saved search that you want to update in Azure Log Analytics.

Output

operation: Delete Saved Search

Input parameters

Parameter	Description
Saved Search ID	ID of the saved search that you want to delete from Azure Log Analytics.
Workspace Resource Group	Name of the Azure Log Analytics workspace resource group from which you want to delete the saved search.
Workspace Subscription ID	Subscription ID of the Azure Log Analytics workspace from which you want to delete the saved search.
Workspace Name	Name of the Azure Log Analytics workspace from which you want to delete the saved search.

Output

The output contains the following populated JSON schema:
{
"result": ""
}

Included playbooks

Create Saved Searches
Delete Saved Search
Execute Query
Get Saved Searches
List Saved Searches
Update Saved Searches

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions