Skip to main content
Version: 2.10.2

Azure Log Analytics Workspace

Use this output type to send NFO data to Microsoft Azure Log Analytics Workspace (Azure Monitor, Sentinel). For more information, visit https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-overview

For Azure Log Analytics Workspace output configuration you need Log Analytics Workspace ID and workspace Primary key. These properties are available here: Open Azure portal > Log Analytics workspaces > select workspace > on the left panel navigate to “Agents management” from “Settings” items group > Log Analytics agent instructions > copy Workspace ID and Primary key

Azure Log Analytics Workspace output has following parameters.

ParameterDescription
Workspace IDLog Analytics workspace ID
Workspace KeyLogs Analytics workspace primary key
Log TypeLogs identifier in Azure. This is also known as a Custom Logs table name and suffix _CL is automatically added to the user defined name. Log Type can be a constant string or a pattern like nfo_${nfc_id}, where ${nfc_id} is substituted from the json message. Log Type can contain only alphanumeric characters and the underscore _. Log Type after variables substitution must meet this requirements too.
Resource IDThe resource ID of the Azure resource that custom logs should be assigned to. This is used to managing access to custom logs. The field may be empty, in this case custom logs won’t be included in resource-context queries.
Report threadsOutput threads count (default is 2). This is the number of threads allocated to receive messages produced by NFO and sent to Log Analytics Workspace.
Report interval (sec)Time interval in seconds between report threads executions (default is 10)
Max message size (bytes)Maximum message size in bytes. NFO combines several logs into one bulk request. Default is 8,000,000
nfc_id filterComma separated list of NFO Modules’ nfc_ids to be send to Azure. This is optional parameter, if not set, all messages are sent.

NFO JSON fields are mapped to Azure custom table fields with suffix _s for strings and _d for numbers. For example, json action is mapped to action_s and bytes is mapped to bytes_d

Query language documentation: https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/

More information about Resource ID output parameter is available here: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-access?tabs=portal#custom-logs

For example, resource group ID may be copied from here: Azure portal > Resource groups > Settings group, Properties > copy Resource ID

If you’ve entered Resource ID correctly, Logs can be viewed in this resource: Resource group > Monitoring group, Logs > search logs by custom logs table name (for example, nfo_20062_CL)

Microsoft Sentinel Configuration

  1. Open Azure Portal
  2. Open Microsoft Sentinel
  3. Click + Create
  4. Create a new workspace if needed:
    1. Select subscription
    2. Select resource grup
    3. Enter name
    4. Select region
    5. Click Review and Create
  5. Select workspace and click Add button