Log Analytics XDR
  • 24 Mar 2025
  • 4 Minutes to read
  • Dark
    Light

Log Analytics XDR

  • Dark
    Light

Article summary

Log Analytics XDR enhances security operations by aggregating and analyzing logs from multiple sources to detect, investigate, and respond to threats in real time. By leveraging advanced analytics and automation, it provides deep visibility into security events, enabling proactive threat detection and faster incident response. For detailed information, please refer to the Microsoft’s official documentation.

Integration Method: API

Tables: Detection Finding (2004)

This integration supports the following type of events.

Event

Description

Alerts

Retrieve a list of alerts.

Note:

Azure Log Analytics XDR is a continuously updated cloud service. As for this document preparation, the latest release was in January 2025.

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privileges.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create Microsoft Sentinel resource group and workspace.

  2. Configure Microsoft defender XDR.

  3. Create an application with required permissions to fetch the data.

  4. Create Log Analytics XDR Data Feed in the DataBee console with the required Client credentials.

    DataBee Parameter

    Azure Parameter

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL(<application_id>)

    Directory (Tenant) ID

Azure Configuration

  • DataBee needs to connect to an Azure monitor log analytics API endpoint which retrieves a list of all AlertInfo and AlertEvidence generated on Azure Monitor.

  • Integration uses KQL queries. The workspace needs to have the “AlertInfo” and “AlertEvidence” tables.

  • To ingest data into workspace’s tables, set up the “Defender XDR” connector in Microsoft Sentinel, use Content Hub for same. Note that “Microsoft Defender” should have data otherwise you need to generate data for “AlertInfo” and “AlertEvidence” tables.

Create Microsoft Sentinel Resource Group and Workspace

  1. In the search bar, search for Microsoft Sentinel and select it.

  2. Click on the Create button to create a new resource group.


  3. Click on the Create a new workspace button to create workspace.



  4. Select the ‘Subscription’.


  5. Enter the Workspace name.

  6. Click the Create New button to create a new resource group or select an existing one.


  7. Enter the resource group name.


  8. Click on the OK button and then click on Review + Create button.


  9. Click on the Create button.

  10. Click on Created workspace and on overview page, copy the ‘workspace ID’ for later use.


Configure Microsoft Defender XDR

  1. Click on created Microsoft sentinel workspace.

  2. Click on left side bar Content hub.


  3. In the Search bar, search Defender for XDR.

    1. Select Microsoft Defender XDR and click on Install.


  4. After installing the Microsoft Defender XDR, click on Manage.


  5. Select Microsoft Defender XDR and click on Open connector page.


  6. Check the Prerequisites and scroll down.

  7. Select Microsoft Defender Alerts (AlertInfo and AlertEvidence)  and click on Apply Changes.


Create an application

  1. Log on to Azure portal with an account that has the Global Administrator privilege.  

  2. In the search bar, search for App Registrations and select it.


  3. On the “App registrations” page, select New registration, “Register an application” window will appear.


  4. On the “Register an application” window:

    1. Under ‘Name’, enter your Application Name then click on Register to create the application.


  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.


Add Endpoint Access

Once the application is created, one permission should be provided to fetch data. The appropriate permissions for the application are needed to access these endpoints. The following section details how to configure and add permissions to the required endpoints.

Add Permissions

From the Azure Active Directory portal:

  1. Select the application registered in the previous step.

  2. Under Manage, click API Permissions and then click Add a Permission, the “Request API permissions” window will appear.


  3. On APIs my organization uses window, Click on Log Analytics API.

  4. Click on Application Permissions and select permission.

    Event

    Type

    Permission

    Alerts

    Application

    Data.Read

  5. Click the Add permissions button after selecting all required permissions.


  6. On the “API permissions” page, click Grant Admin Consent for <tenant> and Click the Yes button on the consent confirmation.


  7. The necessary permissions have now been added for the endpoints. After this step, the permissions should include at least the minimum required permissions shown in the screenshot below.

Create the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:

  1. Select the application created above.

  2. Under Manage, Click Certificates & Secrets, and then Client Secrets.

  3. Click New client secret. Then “Add a client secret” window appears.


  4. On “Add a client secret” window:

    1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

  5. Then click on Add to create the client secret.


    Note:

    The user needs to re-create the client secret when it expires.

  6. Copy the ‘Value’ fields for later use.

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.


  2. Search for the Log Analytics XDR and click it as shown below.


  3. Click on the API Ingest option for collection method.


  4. Enter feed contact information and click Next.


  5. In the configuration page, confirm the following:

    • API Base URL: Base URL

    • Authorization Method: OAuth2

    • Client Key: paste the Application (Client) ID generated earlier.

    • Client Secret: paste the Client Secret Value generated earlier.

    • Token URL: replace <token_id> placeholder with your Directory (Tenant) ID.

    • Workspace ID: paste the Workspace ID generated earlier.

    • Event Types: preselected for all the event types that integration pulls.


  6. Click Submit.

Troubleshooting Tips

  • If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • If you are facing response code 403 this might be possibly due to missing permissions. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence