Azure Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
This document provides information about the Azure Log Analytics Connector, which facilitates automated interactions with an Azure Log Analytics service-based URI using FortiSOAR™ playbooks. Add the Azure Log Analytics Connector as a step in FortiSOAR™ playbooks and perform automated operations related to query and saved searches with Azure Log Analytics.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Azure Log Analytics Version Tested on: Cloud instance
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Azure Log Analytics Connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum
command as a root user to install connectors from an SSH session:
yum install cyops-connector-azure-log-analytics
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Azure Log Analytics connector row (if you are in the Grid view on the Connectors page), and in the Configurationstab enter the required configuration details:
Parameter | Description |
---|---|
Client ID | Unique API ID of the Azure AD application that is used to create an authentication token required to access the API. |
Client Secret | Unique API Secret of the Azure AD application that is used to create an authentication token required to access the API. |
Tenant ID | ID of the tenant that you have been provided for your Azure Active Directory instance. |
Subscription ID | Unique Subscription ID of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Workspace ID | Unique Workspace ID of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Workspace Name | Unique Workspace Name of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Resource Group Name | Unique Resource Group Name of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Execute Query | Retrieves data using a specific query from Azure Log Analytics based on the workspace ID and query that you have specified. | execute_query Investigation |
List Saved Searches | Retrieves the list of saved searches from Azure Log Analytics based on workspace resource group, workspace subscription ID, and workspace name you have specified. | list_saved_searches Investigation |
Get Saved Searches | Retrieves information for a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified. | get_saved_searches Investigation |
Create Saved Searches | Creates a saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified. | create_saved_searches Investigation |
Update Saved Searches | Updates an existing saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified. | update_saved_searches Investigation |
Delete Saved Search | Deletes a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified. | delete_saved_search Investigation |
Parameter | Description |
---|---|
Query | Specify the query based on which to retrieve data from Azure Log Analytics. |
TimeSpan | (Optional) Specify the time span over which to query for data in Azure Log Analytics. This is an ISO8601 time period value. This time span is applied in addition to any other time spans specified in the query expression. |
The output contains the following populated JSON schema:
{
"tables": [
{
"name": "",
"columns": [],
"rows": []
}
]
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"Category": "",
"DisplayName": "",
"Query": "",
"Tags": [],
"Version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search to retrieve from Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search to create in Azure Log Analytics. |
Category | Specify the Category to assign to the saved search being created in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics. |
Display Name | Specify the display name of the saved search being created in Azure Log Analytics. |
Query | Specify the query expression for the saved search being created in Azure Log Analytics. |
ETag | (Optional) Specify the Etag in which to create the saved search in Azure Log Analytics. |
Additional Fields | (Optional) Specify additional fields to assign to the saved search being created in Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search to update in Azure Log Analytics. |
Category | Specify the category of the saved search to update in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics. |
Display Name | Specify the display name of the saved search to update in Azure Log Analytics. |
Query | Specify the query expression of the saved search to update in Azure Log Analytics. |
Additional Fields | (Optional) Specify additional fields to assign and update the saved search in Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search that you want to delete from Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Azure Log Analytics - 2.0.0
playbook collection comes bundled with the Azure Log Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Azure Log Analytics connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Your application needs to be both authenticated and authorized to access the Azure Log Analytics API. The REST APIs of Azure Log Analytics allow you to run queries in Azure Log Analytics and also perform operations such as retrieve, create, update, and delete saved searches in Azure Log Analytics.
The following configuration parameters are required to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
You can get authentication tokens to access the Azure Log Analytics using the Without a User — Application Permission method. For more information see, https://learn.microsoft.com/en-us/graph/auth-register-app-v2.
In the Configurations tab of the connector, enter the authentication details to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
The process to access the Azure Log Analytics API is now complete.
Azure Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
This document provides information about the Azure Log Analytics Connector, which facilitates automated interactions with an Azure Log Analytics service-based URI using FortiSOAR™ playbooks. Add the Azure Log Analytics Connector as a step in FortiSOAR™ playbooks and perform automated operations related to query and saved searches with Azure Log Analytics.
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Azure Log Analytics Version Tested on: Cloud instance
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Azure Log Analytics Connector in version 2.0.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum
command as a root user to install connectors from an SSH session:
yum install cyops-connector-azure-log-analytics
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the Azure Log Analytics connector row (if you are in the Grid view on the Connectors page), and in the Configurationstab enter the required configuration details:
Parameter | Description |
---|---|
Client ID | Unique API ID of the Azure AD application that is used to create an authentication token required to access the API. |
Client Secret | Unique API Secret of the Azure AD application that is used to create an authentication token required to access the API. |
Tenant ID | ID of the tenant that you have been provided for your Azure Active Directory instance. |
Subscription ID | Unique Subscription ID of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Workspace ID | Unique Workspace ID of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Workspace Name | Unique Workspace Name of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Resource Group Name | Unique Resource Group Name of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Execute Query | Retrieves data using a specific query from Azure Log Analytics based on the workspace ID and query that you have specified. | execute_query Investigation |
List Saved Searches | Retrieves the list of saved searches from Azure Log Analytics based on workspace resource group, workspace subscription ID, and workspace name you have specified. | list_saved_searches Investigation |
Get Saved Searches | Retrieves information for a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified. | get_saved_searches Investigation |
Create Saved Searches | Creates a saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified. | create_saved_searches Investigation |
Update Saved Searches | Updates an existing saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified. | update_saved_searches Investigation |
Delete Saved Search | Deletes a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified. | delete_saved_search Investigation |
Parameter | Description |
---|---|
Query | Specify the query based on which to retrieve data from Azure Log Analytics. |
TimeSpan | (Optional) Specify the time span over which to query for data in Azure Log Analytics. This is an ISO8601 time period value. This time span is applied in addition to any other time spans specified in the query expression. |
The output contains the following populated JSON schema:
{
"tables": [
{
"name": "",
"columns": [],
"rows": []
}
]
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"Category": "",
"DisplayName": "",
"Query": "",
"Tags": [],
"Version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search to retrieve from Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search to create in Azure Log Analytics. |
Category | Specify the Category to assign to the saved search being created in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics. |
Display Name | Specify the display name of the saved search being created in Azure Log Analytics. |
Query | Specify the query expression for the saved search being created in Azure Log Analytics. |
ETag | (Optional) Specify the Etag in which to create the saved search in Azure Log Analytics. |
Additional Fields | (Optional) Specify additional fields to assign to the saved search being created in Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search to update in Azure Log Analytics. |
Category | Specify the category of the saved search to update in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics. |
Display Name | Specify the display name of the saved search to update in Azure Log Analytics. |
Query | Specify the query expression of the saved search to update in Azure Log Analytics. |
Additional Fields | (Optional) Specify additional fields to assign and update the saved search in Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
Parameter | Description |
---|---|
Saved Search ID | Specify the ID of the saved search that you want to delete from Azure Log Analytics. |
The output contains the following populated JSON schema:
{
"result": ""
}
The Sample - Azure Log Analytics - 2.0.0
playbook collection comes bundled with the Azure Log Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Azure Log Analytics connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Your application needs to be both authenticated and authorized to access the Azure Log Analytics API. The REST APIs of Azure Log Analytics allow you to run queries in Azure Log Analytics and also perform operations such as retrieve, create, update, and delete saved searches in Azure Log Analytics.
The following configuration parameters are required to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
You can get authentication tokens to access the Azure Log Analytics using the Without a User — Application Permission method. For more information see, https://learn.microsoft.com/en-us/graph/auth-register-app-v2.
In the Configurations tab of the connector, enter the authentication details to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
The process to access the Azure Log Analytics API is now complete.