Forum Widgets
Latest Discussions
Getting empty response while running a kql query using rest api
Hello All, Trying to run a KQL query using power via rest API by passing azure Entra app id and secret key. But we are getting empty response. Log analytics reader role is assigned on LA workspace and able to retrieve access token. When we try to run KQL query manually, we are seeing result. Below is sample snippet that i used, Not sure what is wrong with it? Any help would be highly appreciated. $tenantId = <Tenant id> $clientId = <azure entra application app id> $clientSecret = < app secret key> # Log Analytics Workspace details $workspaceId = <workspace ID> # Acquire a token $body = @{ client_id = $clientId scope = "https://api.loganalytics.io/.default" client_secret = $clientSecret grant_type = "client_credentials" } $query = "AppRequests | limit 10" $uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" $response = Invoke-RestMethod -Uri $uri -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body $accessToken = $response.access_token # Define the Log Analytics REST API endpoint $baseUri = "https://api.loganalytics.io/v1/workspaces/$workspaceId/query" # Set headers for the query $headers = @{ Authorization = "Bearer $accessToken" "Content-Type" = "application/json" } # Prepare the request body $requestbody = @{ query = $query } | ConvertTo-Json # Send the request $response = Invoke-RestMethod -Uri $baseUri -Method Post -Headers $headers -Body $requestbody -Debug # Display the results $responseNeed assistance on KQL query for pulling AKS Pod logs
I am trying to pull historical pod logs using below kql query. Looks like joining the tables; containerlog and KubePodInventory didn't go well as i see lot of duplicates in the output. ContainerLog //| project TimeGenerated, ContainerID, LogEntry | join kind= inner ( KubePodInventory | where ServiceName == "<<servicename>>" ) on ContainerID | project TimeGenerated, Namespace, ContainerID, ServiceName, LogEntrySource, LogEntry, Name1 | sort by TimeGenerated asc Can someone suggest a better query?
How to Monitor New Management Group Creation and Deletion.
I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step. By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings" Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant. { "properties": { "workspaceId": "<< replace with workspace resource ID>>", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Policy", "enabled": true } ] } } Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs. //KQL Query to Identify if Management group is deleted AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) //KQL Query to Identify if Management group is Created AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) This log can also be used to monitor the new subscription creation as well, using the below query AzureActivity | where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId) If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert. Note: Enabling this API on the Mangement group diagnostic logs will also be inherited by the subscriptions downstream on the specific category.
Missing entries in custom log table
We are writing to a custom log table in a few Log Analytics workspaces - these workspaces are targetted by a few different instances of our application (beta/staging/prods, etc). Interestingly some 3 of these workspaces are missing certain logs while the other 5 or so do have it. There are no exceptions thrown in our asp.net core code where we do a SendMessage to OMS either. Any ideas if something like this is possible and how to troubleshoot/fix? ThanksSentinel Incident Priority Mapping to SIR
Hi , we are working on implementing SIR module within our ServiceNow platform. And we have 5 level of priority within SIR (Critical, High, moderate, low, Planning) whereas sentinel has only 4 priorities (informational, Low, Medium, High). Interested to know how other organizations have handled and mapped these priorities. Thanks in advance.
App Service health checks as KQL
I have health check endpoints on each of my APIs and can see the result timeline via the portal. What I would like to do is to have a query so that I can have visualize this across multiple APIs and present these via a honeycomb diagram, but I'm struggling as to what I should query for.Sentinel Threat Intelligence Detection Rule
I'm working on connecting various Threat Intelligenece TAXII with our sentinel platform. Does anyone have suggestions on the kind of detection rules using KQL we can build around these TAXII's. Most of the come with IP's, URLS, domain and hash values. Thanks in advance.Multiple Failed SignIn Events
I've a user for whom within the last week I'm consistently seeing more than 100 failed login events from this authorized device. And these seems to be something running at the back-end as these logs are within 2/3 mins intervals. The error messages goes as "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource." Also, the application that shows interrupted are: - Office Online Maker SSO - Office Online Core SSO Office365 Shell WCSS-Client SharePoint Online Web Client Extensibility->Microsoft Graph Anyone has any insights into addressing this issue. Thanks
Are you getting the most out of your Azure Log Analytics Workspace (LAW) investment?
Using a LAW is a great way to consolidate various types of data (performance, events, security, etc.) and signals from multiple sources. That's the easy part - mining this data for actionable insights is often the real challenge. One way we did this was by surfacing events related to disks across our physical server estate. We were already sending event data to our LAW; it was just a matter of parsing it with KQL and adding to a Power Bi dashboard for additional visibility. The snippet from the Power Bi dashboard shows when the alert was first triggered and when the disk was eventually replaced. Here's the KQL query we came up with. let start_time=ago(30d); let end_time=now(); Event | where TimeGenerated > start_time and TimeGenerated < end_time | where EventLog contains 'System' | where Source contains 'Storage Agents' | where RenderedDescription contains 'Drive Array Physical Drive Status Change' | parse kind=relaxed RenderedDescription with * 'Drive Array Physical Drive Status Change. The ' Drive ' with serial number ""' Serial '"", has a new status of ' Status '. (Drive status values:'* | project Computer, Drive, Serial, Status, TimeGenerated, EventLevelName You can of course set up alerting with Alerts for Azure Monitor. I hope this example helps you get more value from your LAW.Effective Cloud Governance: Leveraging Azure Activity Logs with Power BI
We all generally accept that governance in the cloud is a continuous journey, not a destination. There's no one-size-fits-all solution and depending on the size of your Azure cloud estate, staying on top of things can be challenging even at the best of times. One way of keeping your finger on the pulse is to closely monitor your Azure Activity Log. This log contains a wealth of information ranging from noise to interesting to actionable data. One could set up alerts for delete and update signals however, that can result in a flood of notifications. To address this challenge, you could develop a Power Bi report, similar to this one, that pulls in the Azure Activity Log and allows you to group and summarize data by various dimensions. You still need someone to review the report regularly however consuming the data this way makes it a whole lot easier. This by no means replaces the need for setting up alerts for key signals, however it does give you a great view of what's happened in your environment. If you're interested, this is the KQL query I'm using in Power Bi let start_time = ago(24h); let end_time = now(); AzureActivity | where TimeGenerated > start_time and TimeGenerated < end_time | where OperationNameValue contains 'WRITE' or OperationNameValue contains 'DELETE' | project TimeGenerated, Properties_d.resource, ResourceGroup, OperationNameValue, Authorization_d.scope, Authorization_d.action, Caller, CallerIpAddress, ActivityStatusValue | order by TimeGenerated asc
