SOLVED

Log analytics API

%3CLINGO-SUB%20id%3D%22lingo-sub-392238%22%20slang%3D%22en-US%22%3ELog%20analytics%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392238%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20-%20i%20have%20built%20up%20a%20collection%20of%20saved%20searches%20in%20Azure%20log%20analytics%2C%20mainly%20searching%20the%20SecurityAlerts%2C%20SignInLogs%20and%20OfficeActivity%20tables.%26nbsp%3B%20When%20i%20get%20a%20security%20alert%20notification%20from%20Microsoft%2C%20I%20run%20my%20searches%20then%20export%20to%20CSV%20to%20search%20for%20indicators%20of%20compromise%20bla%20bla.%26nbsp%3B%20This%20is%20great%2C%20somewhat%20quick%20and%20easy..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20is%20there%20a%20programmatic%20way%20of%20doing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20the%20Security%20Graph%20API%20i%20can%20see%20the%20signIn%20resource%20type%2C%20so%20thats%20great%2C%20but%20i%20do%20not%20see%20exchange%20mailbox%20audit%20log%20resource%2C%20so%20i%20cannot%20see%20how%20to%20retrieve%20audit%20logs%20via%20an%20API..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20i%20query%20the%20Log%20Analytics%20data%20directly%20through%20an%20API%20or%20is%20there%20another%20way%20to%20access%20this%20data%20programatically%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20looked%20at%20using%20the%20Azure%20Cloud%20Console%2C%20but%20even%20this%20didn't%20seem%20to%20be%20able%20to%20access%20the%20data..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-392238%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowershell%20and%20Rest%20API%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-392876%22%20slang%3D%22en-US%22%3ERe%3A%20Log%20analytics%20API%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-392876%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F4821%22%20target%3D%22_blank%22%3E%40Andrew%20Huddleston%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThere%20is%20the%20Log%20Analytocs%20API%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Floganalytics%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Floganalytics%2F%3C%2FA%3E%26nbsp%3B%20and%26nbsp%3B%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-collector-api%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20get%20a%20Security%20Alert%20you%20could%20call%20a%20playbook%20(Logic%20App)%20to%20work%20with%20that%20data%2C%20even%20if%20its%20only%20to%20create%20that%20CSV%20file.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzure%20Sentinel%20has%20a%20new%20connector%20to%20O365%20(not%20look%20too%20closely%20myself%20at%20this%20particular%20connector%20and%20data%2C%20but%20Exchange%20is%20mentioned).%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hey - i have built up a collection of saved searches in Azure log analytics, mainly searching the SecurityAlerts, SignInLogs and OfficeActivity tables.  When i get a security alert notification from Microsoft, I run my searches then export to CSV to search for indicators of compromise bla bla.  This is great, somewhat quick and easy..

 

But is there a programmatic way of doing this?

 

Using the Security Graph API i can see the signIn resource type, so thats great, but i do not see exchange mailbox audit log resource, so i cannot see how to retrieve audit logs via an API..

 

Can i query the Log Analytics data directly through an API or is there another way to access this data programatically?

 

I looked at using the Azure Cloud Console, but even this didn't seem to be able to access the data..

 

1 Reply
Highlighted
Solution

@Andrew Huddleston 

 

There is the Log Analytocs API https://docs.microsoft.com/en-us/rest/api/loganalytics/  and  the https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-collector-api

 

When you get a Security Alert you could call a playbook (Logic App) to work with that data, even if its only to create that CSV file.

 

Azure Sentinel has a new connector to O365 (not look too closely myself at this particular connector and data, but Exchange is mentioned).

Thanks