Log analytics Azure Activity

Log Analytics Azure Activity centralizes log analysis for Azure and on-premises resources. By tracking Administrative and Alert logs, it enables auditing, security monitoring, and rapid issue detection—enhancing system security and operational efficiency. Please find more details on the official page of Log analytics azure activity.

Integration Method: API

Tables: Detection Finding (2004), Entity Management (3004)

This integration supports the following events.

This integration supports the following versions.

Note:

Log analytics azure activity doesn’t follow a traditional versioning system. Instead, it is a continuously updated cloud service. Please find more details here.

Prerequisites

• The user required at least Global Administrator privilege to create and manage application in azure cloud.

• The user should have access to the DataBee platform.

Configuration Overview

1. Create an application with required permissions to fetch the data. 

2. Add Log analytics azure activity in the DataBee console with below parameter.

   DataBee Feed Parameter	Azure Parameter
   Workspace ID	Workspace ID
   Client Key	Application (Client) ID
   Client Secret	Client Secret
   Token URL(<application_id>)	Directory (tenant) ID

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privileges.

2. In the search bar, search for App Registrations and select it. 

   

3. On the “App registrations” page, click on New registration. The “Register an application” window will appear. 

   

4. On the “Register an application” window: 

   • Under ‘Name’ enter your application name then click on Register to create the application. 

     

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.

   

Add Endpoint Access

Once the application is created, appropriate permissions should be provided in order to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.   

Add Permissions

To add permissions for the endpoint outlined above, from the Azure Active Directory portal:

1. Select the application registered in the previous step. 

2. Under Manage, click API Permissions and then click Add a Permission, the “Request API permissions” window will appear. Go to APIs my organization uses > Search for the “Log analytics API” and select the Log Analytics API.

   

3. Click on Log Analytics API then select Delegated Permissions as Permission type.

   Event	Type	Permission
   Administrative and Alert Activities	Delegated	Data.Read

4. Click the Add permissions button after selecting all required permissions.

   
   

5. On the “API permissions” page:

   1. Click Grant Admin Consent for <tenant>.

   2. Click the Yes button on the consent confirmation.

   

6. The required permissions are now added for the endpoints. Overall permission looks like this and make sure that type is application for all.
    

Workspace configuration

Now our app has permissions to use API, our app needs access to Log Analytics workspace.

1. Search for Log Analytics workspaces as shown below. Go to “Log Analytics workspace” overview page.
    

2. Go to your Workspace and then save workspace ID for future use.
   
   

3. From the left tab menu, Select Access control (IAM) > Select Add role assignment.
    

4. Select the Reader role and then click on Next.
    

5. On the Members tab, choose Select members. Enter the name of your app in the Select box. Select your app and choose Select. Select Review + assign. 
    
   

   Note:

   For more details on the above steps. Please refer documentation.  

Create the client secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:   

1. Select the application created above. 

2. Under Manage, Click Certificates and Secrets, and then Client Secrets. 

   
    

3. Click New client secret. Then “Add a client secret” window appears. 

   

4. On “Add a client secret” window: 

   1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

   2. Then click on Add to create the client secret.

      

5. Save Client Secret for future use.

   

   Note:

   The user needs to re-create the client secret when it expires.

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Log Analytics Azure Activity and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.

   
   

5. In the configuration page, enter the following

   • Authentication Method: OAuth2

   • Client Key: Client ID found in the application overview page.

   • Client Secret: Client Secret generated for the application.

   • Token URL: update the Tenant ID found in the application overview page.

   • API Base URL: keep the default API Base URL.

   • Event Types: preselected for all the event types that integration pulls.

   • Workspace ID: provide Workspace ID for the application.
     

6. Click Submit.

Troubleshooting Tips

• Ensure the token is pasted correctly. Since you cannot view the token after the 1^st time, re-create the token, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure that the application has necessary permissions as mentioned in the document.