Azure Log Analytics

Azure Log Analytics is a cloud-based service that collects and analyzes telemetry data from Azure and sources. Salem can retrieve data from Log Analytics via the KQL language to build Action Conf objects.

Description: In the default case, Salem retrieves data from an Azure Log Analytics resource authenticating with a secret stored in a digital key vault and returning data based on a user-defined query. The user can then process the output using an eval string to build Salem ActionConfs.

Request Workflow:

  1. An HTTP post request is created using the tenant_id defined in input.static_keys. The request includes a client_id, defined in the input.static_keys parameter, and the secret housed in the vault resource defined in the credentials parameter. The request returns an authentication token.

  2. Using the bearer token, an HTTP POST request is made to the Log Analytics resource with the workspace_id, defined in the input.static_keys parameter. The request includes the input values, defined in input.input_keys and populated by the user from the Salem interface.

  3. The response is then handled according to the specifications in the results parameter, including the expected format of the response and any actions to structure the returned information.

The image below is Salem's default Log Analytics Search webhook action structure. More general information on ActionDefinition parameters and their purpose can be found in the Webhook - ActionDefinition documentation.

See the description below the image for an explanation of how to configure each Action Definition parameter for an Azure Log Analytics webhook action.

By default, the Azure Log Analytics ActionDefinition expects a key vault resource that contains a client secret. This secret is passed as part of the bearer token request. To match this configuration, create a secret value in a key vault resource Salem can access.

  • tenant_id: The ID for the Azure environment the resources are deployed within.

  • client_id: Salem's application registration ID.

  • workspace_id: The ID of the target Log Analytics resource

The two user inputs included in the default configuration expects a query from the user in KQL format and a time span parameter. The query should identify a table and columns in the Log Analytics resource accessible to Salem.

The example included in the default configuration queries a table called "AADAuthentication" and requests a count of all of the records in the table that match the conditions:

  1. An account field equal to "sample.account@salemcyber.com"

  2. A status field equal to "failed"

The format/structure of requests made by Salem to the target resources (defined in other parameters) is defined in this object.

In the default case, Salem uses OAuth2 to authenticate using a key vault secret and then includes the resulting bearer token as part of the query to Log Analytics. The user input, as described in the preceding section, is also passed as part of the request to Log Analytics.

The expected response from an Azure Log Analytics POST request is data in a JSON format. Salem then formats the response into a two-column table for each key/value pair.

Last updated