Skip to main content
 

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

Azure Log Analytics aggregates and provides search capabilities over data in an Azure deployment. Azure Log Analytics functions as a data store for Azure applications, but can also be queried manually.

Depending on policy and configuration, Azure Log Analytics can contain all kinds of data relevant to a security team. Most notably, after security audit policies are enabled on Azure VMs, they feed log data to Azure Log Analytics where it can be queried in the Analytics Portal.

Step 1: Set up Azure AD Account for access to Azure Log Analytics

  1. Create an account for Expel in Azure AD and provide access to the Azure Log Analytics application.

  2. Use expelsoc@[your AD domain] for the naming convention.

Step 2: Setting up the Azure Azure Log Analytics REST API

The Azure Azure Log Analytics REST API lets you query the full set of data collected by Azure Log Analytics using the same query language used throughout the service. To get started, follow these steps.

These steps provide a simple way to get started, but a lot more options are available. For full details, make sure to review Using the API, as well as the Microsoft reference.

Follow the documented instructions from Steps 1-1.2 provided by Windows:

https://dev.loganalytics.io/documentation/1-Tutorials/Direct-API

Step 3: Configure Azure Azure Log Analytics in Workbench

  1. In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=azure_log_analytics.

  2. Fill in the fields like this:

    Screen Shot 2021-03-05 at 8.00.07 AM.png
    • For Name type the host name of the Azure Log Analytics device.

    • For Location type Cloud.

    • For Directory ID, type the ID of the Azure Active Directory (tenant) in the cloud instance.

    • For Application ID, type the ID of the application with access to Azure Log Analytics.

    • For Application secret, type the key used to authenticate the application.

    • For Workspace ID, type the ID of the workspace within Azure Log Analytics.