Salem Cyber Doc Site
  • 🏠Documentation Home
  • ✨Initiation Guides
    • Quickstart: Deploy Salem
    • Admin Guide
    • Installing Teams App
    • Installing Browser Extension
    • Feature Overview
  • ✨General Guides
    • Managing Alerts
    • Managing Questions
    • Threat Notification Management
    • Uploading Files
    • Logical Operations
  • ✨Configurations Specification
    • Configuration Home
    • Action Conf
      • "match" ActionConfs
      • "webhook" ActionConfs
      • "llm" ActionConfs
    • Action Definition
      • Azure Log Analytics
      • Microsoft Graph API
      • Splunk Search
      • Bring Your Own LLM
    • Parsing Conf
      • Summary Details
    • Report Conf
    • LLM Configuration
  • 💾Changelog
    • Dec 5th '24: Get cracking on your holiday shopping list
    • July 18th, ’24: Beat the heat and the hackers
    • Apr 17th, '24: Alert showers make analysts sour... no longer with Salem!
    • Mar 5, '24: They're after me (and your) secure systems! We're na-tur-ally suspicious
    • Jan 31, '24: New year, new me... and a new way to extract data from your alerts
    • Dec 21, '23: Jingle bells, WannaCry smells, your escalated alert just laid an egg
    • Nov 14, '23: Stuff the turkey or stuff cyber alerts with context... Why not both?
    • Oct 25, '23: Llama, llama on the wall which alert is scariest of them all
    • Sept 19, '23: Context building via true positive/false positive workflow
    • Sept 1, '23: Alert report UI, webhook actions, and question upgrades
Powered by GitBook
On this page
  • Azure Log Analytics Search - Webhook Action
  • Configuring Azure Log Analytics Search
  • 1. Credentials/Authentication
  • 2. Static Keys - target resources
  • 3. Input Keys - User input
  • 4. Requests - HTTP requests
  • 5. Results - HTTP response handling
  1. Configurations Specification
  2. Action Definition

Azure Log Analytics

PreviousAction DefinitionNextMicrosoft Graph API

Last updated 11 months ago

Azure Log Analytics is a cloud-based service that collects and analyzes telemetry data from Azure and sources. Salem can retrieve data from Log Analytics via the KQL language to build Action Conf objects.

Description: In the default case, Salem retrieves data from an Azure Log Analytics resource authenticating with a secret stored in a digital key vault and returning data based on a user-defined query. The user can then process the output using an to build Salem .

Request Workflow:

  1. An HTTP post request is created using the tenant_id defined in input.static_keys. The request includes a client_id, defined in the input.static_keys parameter, and the secret housed in the vault resource defined in the credentials parameter. The request returns an authentication token.

  2. Using the bearer token, an HTTP POST request is made to the Log Analytics resource with the workspace_id, defined in the input.static_keys parameter. The request includes the input values, defined in input.input_keys and populated by the user from the Salem interface.

  3. The response is then handled according to the specifications in the results parameter, including the expected format of the response and any actions to structure the returned information.

The image below is Salem's default Log Analytics Search webhook action structure. More general information on ActionDefinition parameters and their purpose can be found in the documentation.

See the description below the image for an explanation of how to configure each Action Definition parameter for an Azure Log Analytics webhook action.

By default, the Azure Log Analytics ActionDefinition expects a key vault resource that contains a client secret. This secret is passed as part of the bearer token request. To match this configuration, create a secret value in a key vault resource Salem can access.

  • tenant_id: The ID for the Azure environment the resources are deployed within.

  • client_id: Salem's application registration ID.

  • workspace_id: The ID of the target Log Analytics resource

The two user inputs included in the default configuration expects a query from the user in KQL format and a time span parameter. The query should identify a table and columns in the Log Analytics resource accessible to Salem.

The example included in the default configuration queries a table called "AADAuthentication" and requests a count of all of the records in the table that match the conditions:

  1. An account field equal to "sample.account@salemcyber.com"

  2. A status field equal to "failed"

The format/structure of requests made by Salem to the target resources (defined in other parameters) is defined in this object.

In the default case, Salem uses OAuth2 to authenticate using a key vault secret and then includes the resulting bearer token as part of the query to Log Analytics. The user input, as described in the preceding section, is also passed as part of the request to Log Analytics.

The expected response from an Azure Log Analytics POST request is data in a JSON format. Salem then formats the response into a two-column table for each key/value pair.

✨
1. Credentials/Authentication
2. Static Keys - target resources
3. Input Keys - User input
4. Requests - HTTP requests
5. Results - HTTP response handling
ActionConfs
Azure Log Analytics Search - Webhook Action
Configuring Azure Log Analytics Search
eval string
Webhook - ActionDefinition