Azure Log Analytics, part of Microsoft’s Azure Monitor, collects and analyzes telemetry data from Azure, on-premises, and third-party sources, with integration to Sentinel for enhanced security. With Kusto Query Language (KQL), it helps monitor performance, enhance security, and troubleshoot issues.
Torq enables quick and easy integration with Azure Log Analytics, so you can automate anything and everything within moments. Torq's public Azure Log Analytics steps include:
Generate Access Token
Execute Query
If you don't see a step you need, you can create your own in various ways, such as using the Send an HTTP Request step or Torq’s Step Builder, and share it across your organization.
Use Azure Analytics Steps in a Torq Workflow
Step One: Create an Application Registration in Azure for Azure Log Analytics
In Azure: Go to your Azure administration portal and navigate to Microsoft Entra ID > App Registrations > New Registration.
Fill in Details: Choose a unique and meaningful name for your app and click Register.
API Permissions: Select API Permissions > Add permission > APIs my organization uses > type Log Analytics API and select Log Analytics API.
This enables you to access Azure Log Analytics' API
Application Permissions: Select Application Permissions. Choose the
Data.Readpermission and then click Add Permissions.
Admin Consent: Select Grant admin consent.
Get Secret: Go to Certificates and Secrets and give the secret a meaningful description such as
Torq Secret, and click Add.Save the secret in a safe location for later use in Torq.
Save Details: Go to Overview and copy the Display name, Application ID, and Tenant ID, and save them somewhere safe for use later in Torq.
Assign Role: Go to your Azure portal and type
Log Analytics Workspacesin the search bar. Select Log Analytics Workspaces.Select the appropriate Log Analytics Workspace from the list, and copy the Workspace ID somewhere safe for use later in Torq.
Select Access Control (IAM) from the left navigation pane.
Select the Role Assignments tab and then select +Add > Add role assignment
Select the Job function roles tab, and type
Log Analytics Readerin the search bar.Select the Log Analytics Reader role and click Next:
Select Assign access to > User, group or service principal
Click +Select Members
In the Select Members search bar, type the display name of the application registration that you copied earlier in step 7. Locate your application and click Select.
Finalize: Click Next > Review and Assign. Move to the Torq platform for Step Two.
Step Two: Create an Azure Log Analytics Steps Integration in Torq
Add Integration: Go to Build > Integrations > Steps > Azure Log Analytics and click Add.
Fill in Details:
Give the integration a unique and meaningful name.
In Azure Tenant ID, enter the Tenant ID you copied earlier in step 7.
In Azure Application Client ID, enter the Application ID you copied earlier in step 7.
In Client Secret, enter the secret you created earlier in step 6.
Finalize: Click Save to save.
Step Three: Execute Azure Log Analytics Queries in Torq Workflows
Go to Workflows: Go to Build > Workflows. Create a new workflow or access a workflow from which you want to execute a query to Azure Log Analytics.
Store Azure Log Workspace ID: Add a new Workflow Parameters step to your workflow (if you don't already have one) to store the Azure Log Analytics Workspace ID you copied earlier in step 8.a.
Generate Access Token: Add a new Azure Log Analytics Generate Access Token step to the designer. Select the Azure Log Analytics integration you created earlier.
Optionally: Add a new Azure Log Analytics Execute Query step and set it up to use:
The access token generated by the Azure Log Analytics Generate Access Token step
The Workspace ID stored in the Workflow Parameters step
The KQL query that you want to perform. For example, here the query given is
union * | where TimeGenerated > ago(1h) | summarize count() by Type, TenantId
Templates
Now that you've added your integration check out these specially crafted templates by Torq's security experts. Visit Torq's template library for more.