Azure Log Analytics Workspace
Use this output type to send NFO data to Microsoft Azure Log Analytics Workspace (Azure Monitor, Sentinel). For more information, visit https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview
For Azure Log Analytics Workspace output configuration you need Log Analytics Workspace ID and workspace Primary key. These properties are available here: Open Azure portal > Log Analytics workspaces > select workspace > on the left panel navigate to “Agents management” from “Settings” items group > Log Analytics agent instructions > copy Workspace ID and Primary key
Azure Log Analytics Workspace output has following parameters.
| Parameter | Description |
|---|---|
| Workspace ID | Log Analytics workspace ID |
| Workspace Key | Logs Analytics workspace primary key |
| Log Type | Logs identifier in Azure. This is also known as a Custom Logs table name and suffix _CL is automatically added to the user defined name. Log Type can be a constant string or a pattern like nfo_${nfc_id}, where ${nfc_id} is substituted from the json message. Log Type can contain only alphanumeric characters and the underscore _. Log Type after variables substitution must meet this requirements too. |
| Resource ID | The resource ID of the Azure resource that custom logs should be assigned to. This is used to managing access to custom logs. The field may be empty, in this case custom logs won’t be included in resource-context queries. |
| Report threads | Output threads count (default is 2). This is the number of threads allocated to receive messages produced by NFO and sent to Log Analytics Workspace. |
| Report interval (sec) | Time interval in seconds between report threads executions (default is 10) |
| Max message size (bytes) | Maximum message size in bytes. NFO combines several logs into one bulk request. Default is 8,000,000 |
| nfc_id filter | Comma separated list of NFO Modules’ nfc_ids to be send to Azure. This is optional parameter, if not set, all messages are sent. |
NFO JSON fields are mapped to Azure custom table fields with suffix _s for strings and _d for numbers. For example, json action is mapped to action_s and bytes is mapped to bytes_d
Query language documentation: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/
More information about Resource ID output parameter is available here: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal#custom-logs
For example, resource group ID may be copied from here: Azure portal > Resource groups > Settings group, Properties > copy Resource ID
If you’ve entered Resource ID correctly, Logs can be viewed in this resource: Resource group > Monitoring group, Logs > search logs by custom logs table name (for example, nfo_20062_CL)
Microsoft Sentinel Configuration
- Open Azure Portal
- Open Microsoft Sentinel
- Click + Create
- Create a new workspace if needed:
- Select subscription
- Select resource grup
- Enter name
- Select region
- Click Review and Create
- Select workspace and click Add button