Azure Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel, Microsoft Defender and Azure Kubernetes for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple Azure services. Log Analytics can be used to edit and run log queries with the data in Azure monitor logs. With Azure Log Analytics you can easily sort, filter, and provide analysis to a simple query returning a set of records.
NetWitness Platform XDR enables log collection from Azure Log Analytics workspace through the log analytics API. The plugin module which is used to call the API, generates a query to fetch a specific type of log from a specific table. Log analytics workspace can contain logs from different sources and each source might have a different table name. For example, to collect Azure Kubernetes logs, customers should first forward Azure Kubernetes Service (AKS) logs to the Log Analytics workspace (follow the detailed instructions in the plugin documentation below). In NetWitness Platform XDR, the customer should enter the table name as “AzureDiagnostics” and the log types from the list, "kube-apiserver", "kube-audit","kube-audit-admin","kube-scheduler","guard". Make sure that you enter the logs types separated by a comma without any space, example: kube-apiserver,kube-audit. To know more information about Azure Log Analytics workspace integration, please refer to the documentation references provided at the end of this blog.
Integration model:
Events are collected in JSON format. Customers should enable azure parser in NetWitness log decoder to parse the collected events.
Documentation:
1. Log Analytics Plugin Documentation
2. About Log Analytics workspace
Log Collector Package on Netwitness Live: "Log Collector configuration content for event source MS Azure Loganalytics"
Log Parser on Netwitness Live: azure
