Azure Log Analytics Integrated Into Query Federated Search

Azure Log Analytics

Azure Log Analytics is a time-series wide-column NoSQL-like logging service within the Azure Monitor ecosystem. Each workspace contains multiple tables organized into separated columns with multiple rows, defined by a set schema of columns that contains structured and semi-structured logging and event data. Logs and other data can be read from these tables using the Kusto Query Language (KQL) to perform detailed analyses or simple searches, and anything in between.

Azure Log Analytics Workspace tables can be populated by various means, such as via Microsoft Sentinel Connectors, Azure Monitor Agents (AMAs), and other mechanisms to store important security, networking, and/or application performance monitoring logs. Several are created automatically when enabling connectivity between Microsoft Defender XDR and Microsoft Sentinel, for instance, and contain every bit of information that the Advanced Hunting tables in Defender collect.

Query’s integration with Azure Log Analytics is a dynamic schema connector this means that Query auto-discovers the schema and data types within a given table and allows customers to model the table against the Query Data Model (QDM) – based on the Open Cyber Security Format (OCSF) data model. Users use our no-code Configure Schema workflow to perform point-and-click normalization and standardization of data by choosing which Azure Log Analytics table fields to map into QDM/OCSF fields.

For instance, a SOC analyst or detection engineer can easily model the “DeviceLogonEvents” table into QDM/OCSF Authentication events and create their own Entity mappings to perform searches against this data within the Query UI or Query Splunk App. Entities are multi-value searches that can search across any data source onboarded in Query, you can map the User SID, UPN, Account Name, and Logon IDs into Username or Email Address entities. This allows quick collation and correlation of similar results despite coming from different Events or Connectors.

Using Summary Insights, SOC managers and security architects can view aggregated data across any time range across all of their onboarded Azure Log Analytics tables. This aggregation provides the amount of Entities, event types, and severity of the various events and their details. This can be used to quickly find high-severity events from Windows Event Logs or Threat Intelligence tables, or to view the top hosts, process names, command line executions, or process IDs encountered in the tables.

Multiple incident response and internal investigations can be conducted by onboarding Azure Log Analytics tables.

• Search for all events related to specific hosts by their Hostname or Machine ID reported by Defender, Intune, and/or Entra ID
• Search for specific events such as File System Activity to find corrupted files, zero-day artifacts by their hashes (SHA1, SHA256, MD5), file names, or (parent) process names that created or modified them
• Normalize all Windows Event Logs across an entire fleet of Windows machines managed by Intune or created in Azure

To integrate Microsoft Sentinel Incidents see integration documentation here. The integration will normalize data into Query’s OCSF based QDM (Query Data Model).