About the connector
Azure Log Analytics is a service that helps you collect and analyze data generated by resources in your cloud and on-premises environments.
This document provides information about the Azure Log Analytics Connector, which facilitates automated interactions with an Azure Log Analytics service-based URI using FortiSOAR™ playbooks. Add the Azure Log Analytics Connector as a step in FortiSOAR™ playbooks and perform automated operations related to query and saved searches with Azure Log Analytics.
Version information
Connector Version: 2.0.0
FortiSOAR™ Version Tested on: 7.4.0-3024
Azure Log Analytics Version Tested on: Cloud instance
Authored By: Fortinet
Certified: Yes
Release Notes for version 2.0.0
Following enhancements have been made to the Azure Log Analytics Connector in version 2.0.0:
- This connector version is now certified.
- Added following new parameters in Configuration section:
- Subscription ID
- Workspace ID
- Workspace Name
- Resource Group Name
- Removed Authorization Code, Server URL, and Redirect URL parameters from the Configuration section.
- Removed Workspace ID and Workspace Name parameter from the Execute Query operation.
- Removed ETag parameter from the Update Saved Searches operation.
- Removed Workspace Resource Group, Workspace Subscription ID, and Workspace Name from following operations:
- Create Saved Searches
- Update Saved Searches
- List Saved Searches
- Get Saved Searches
- Delete Saved Search
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-azure-log-analytics
Prerequisites to configuring the connector
- You must have the server-based URI of the Azure Log Analytics server to connect and perform automated operations. You will also need the credentials to access the server as specified in Configuration Parameters.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Azure Log Analytics server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Azure Log Analytics connector row (if you are in the Grid view on the Connectors page), and in the Configurationstab enter the required configuration details:
| Parameter |
Description |
| Client ID |
Unique API ID of the Azure AD application that is used to create an authentication token required to access the API. |
| Client Secret |
Unique API Secret of the Azure AD application that is used to create an authentication token required to access the API. |
| Tenant ID |
ID of the tenant that you have been provided for your Azure Active Directory instance. |
| Subscription ID |
Unique Subscription ID of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
| Workspace ID |
Unique Workspace ID of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
| Workspace Name |
Unique Workspace Name of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
| Resource Group Name |
Unique Resource Group Name of the Log Analytics Workspace that is used to create an authentication token required to access the API. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Execute Query |
Retrieves data using a specific query from Azure Log Analytics based on the workspace ID and query that you have specified. |
execute_query
Investigation |
| List Saved Searches |
Retrieves the list of saved searches from Azure Log Analytics based on workspace resource group, workspace subscription ID, and workspace name you have specified. |
list_saved_searches
Investigation |
| Get Saved Searches |
Retrieves information for a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified. |
get_saved_searches
Investigation |
| Create Saved Searches |
Creates a saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified. |
create_saved_searches
Investigation |
| Update Saved Searches |
Updates an existing saved search in Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name, and other input parameters you have specified. |
update_saved_searches
Investigation |
| Delete Saved Search |
Deletes a specific saved search from Azure Log Analytics, based on the saved search ID, workspace resource group, workspace subscription ID, and workspace name you have specified. |
delete_saved_search
Investigation |
operation: Execute Query
Input parameters
| Parameter |
Description |
| Query |
Specify the query based on which to retrieve data from Azure Log Analytics. |
| TimeSpan |
(Optional) Specify the time span over which to query for data in Azure Log Analytics. This is an ISO8601 time period value. This time span is applied in addition to any other time spans specified in the query expression. |
Output
The output contains the following populated JSON schema:
{
"tables": [
{
"name": "",
"columns": [],
"rows": []
}
]
}
operation: List Saved Searches
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"Category": "",
"DisplayName": "",
"Query": "",
"Tags": [],
"Version": ""
}
}
operation: Get Saved Searches
Input parameters
| Parameter |
Description |
| Saved Search ID |
Specify the ID of the saved search to retrieve from Azure Log Analytics. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
operation: Create Saved Searches
Input parameters
| Parameter |
Description |
| Saved Search ID |
Specify the ID of the saved search to create in Azure Log Analytics. |
| Category |
Specify the Category to assign to the saved search being created in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics. |
| Display Name |
Specify the display name of the saved search being created in Azure Log Analytics. |
| Query |
Specify the query expression for the saved search being created in Azure Log Analytics. |
| ETag |
(Optional) Specify the Etag in which to create the saved search in Azure Log Analytics. |
| Additional Fields |
(Optional) Specify additional fields to assign to the saved search being created in Azure Log Analytics. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
operation: Update Saved Searches
Input parameters
| Parameter |
Description |
| Saved Search ID |
Specify the ID of the saved search to update in Azure Log Analytics. |
| Category |
Specify the category of the saved search to update in Azure Log Analytics. Categorization helps users quickly find a saved search in Azure Log Analytics. |
| Display Name |
Specify the display name of the saved search to update in Azure Log Analytics. |
| Query |
Specify the query expression of the saved search to update in Azure Log Analytics. |
| Additional Fields |
(Optional) Specify additional fields to assign and update the saved search in Azure Log Analytics. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"etag": "",
"properties": {
"category": "",
"displayName": "",
"functionAlias": "",
"functionParameters": "",
"query": "",
"version": ""
}
}
operation: Delete Saved Search
Input parameters
| Parameter |
Description |
| Saved Search ID |
Specify the ID of the saved search that you want to delete from Azure Log Analytics. |
Output
The output contains the following populated JSON schema:
{
"result": ""
}
Included playbooks
The Sample - Azure Log Analytics - 2.0.0 playbook collection comes bundled with the Azure Log Analytics connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Azure Log Analytics connector.
- Create Saved Searches
- Delete Saved Search
- Execute Query
- Get Saved Searches
- List Saved Searches
- Update Saved Searches
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Accessing the Azure Log Analytics API
Your application needs to be both authenticated and authorized to access the Azure Log Analytics API. The REST APIs of Azure Log Analytics allow you to run queries in Azure Log Analytics and also perform operations such as retrieve, create, update, and delete saved searches in Azure Log Analytics.
The following configuration parameters are required to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
- Client ID
- Client Secret
- Tenant ID
- Redirect URI
- Subscription ID
- Workspace ID
- Workspace Name
- Resource Group Name
You can get authentication tokens to access the Azure Log Analytics using the Without a User — Application Permission method. For more information see, https://learn.microsoft.com/en-us/graph/auth-register-app-v2.
In the Configurations tab of the connector, enter the authentication details to authenticate the Azure Log Analytics connector with the Azure Log Analytics API.
- Register your client application with Azure Active Directory (AD). See Register your client application for more information.
- Assign the role of Log Analytics Contributor and Log Analytics Reader. To assign roles, refer to https://learn.microsoft.com/en-gb/azure/role-based-access-control/role-assignments-portal.
- After registering the application in Azure AD, you get access to the following information:
- Client ID
- Client Secret
- Tenant ID
- Redirect URI
- Subscription ID
- Workspace ID
- Workspace Name
- Resource Group Name
The process to access the Azure Log Analytics API is now complete.
