Log Analytics Query

Runs and ingests custom queries from Azure Log Analytics to collect operational or identity-related logs

Sync Type: Incremental

Requirements

Before setting up the Microsoft Log Analytics Query you need to:

1. Have a Microsoft Account with an active Azure Subscription
2. Create a Application with API Data.Read access to the Log Analytics API
3. Reader permissions granted to the application from the Logs Analytics Workspace

Note: Fetches logs from t-24h on the first sync. Subsequent syncs are incremental and fetch data from the last successful sync time to the current time.

Configuration

Settings

Setting	Type	Required	Description
Tenant ID	string	true	The tenant ID of the Azure AD application
Workspace ID	string	true	The workspace ID of the Log Analytics workspace
Query	string	true	The query to run against the Log Analytics workspace

Secrets

Setting	Type	Required	Description
Client ID	string	true	The client ID of the Azure AD application
Client Secret	string	true	The client secret of the Azure AD application

Setting up API Access

1. Registering a new application
   1. Open the App Registration page in the Azure portal.
   2. Select New Registration
   3. Add a name to the new registration
   4. Click Register
   5. Save the applications Application (client) ID and Directory (tenant) ID
   6. Select Certificates and Secrets
   7. Click link next to Client credentials
   8. In "Client secrets" click "New client secret"
   9. Add a name and expiration to the new secret
   10. Save the client secret value
2. Give application access to Log Analytics API
   1. Click "API Permissions" on left sidebar
   2. Click "Add Permission"
   3. Click "Logs Analytics API"
   4. Select "Delegated permissions"
   5. Select "Data.Read"
3. Grant access to your Log Analytics Workspace
   1. Navigate to the Log Analytics Workspace
   2. Select the workspace
   3. Click "Access control (IAM)" on the left menu
   4. Select "Add Role Assignment" from the "+ Add" menu
   5. Select the Reader role and click Next
   6. Click "Select members"
   7. Search for the new application name and click Select
   8. Click "Review + assign"
   9. Confirm by clicking "Review + assign"

Custom Schema Handling

If the source data doesn't align with any of the OpenSecurityControlFramework (OSCF) schemas, you can create a custom transformation using our JQ transform pipeline. For example:

{
  metadata: {
    schema_version: "1.0.0",
    custom_framework: "my_framework"
  },
  controls: .[]
}

For more information on JQ and how to write your own JQ transformations see the JQ docs here.

If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at support@monad.com. We're always looking to expand our coverage of security control frameworks based on community needs.

Related Articles

• Setting up an application
• Access to Log Analytics API

Sample Record

{
  "AADOperationType": "Update",
  "AADTenantId": "93fb41be-4899-ecaf-1b55-0547900bd2e9",
  "ActivityDateTime": "2025-08-11T23:46:40Z",
  "ActivityDisplayName": "Update service principal",
  "AdditionalDetails": [
    {
      "key": "AppId",
      "value": "fd9117e7-bf38-5739-7f5d-3a63870cdaa4"
    }
  ],
  "Category": "ApplicationManagement",
  "CorrelationId": "c3dcb22a-603a-0d0c-7295-a7900697781f",
  "DurationMs": 0,
  "Id": "Directory_4f59374e-1cca-f37e-9f31-face3ea0fbc2",
  "Identity": "Microsoft Intune",
  "InitiatedBy": {
    "app": {
      "appId": null,
      "displayName": "Microsoft Intune",
      "servicePrincipalId": "05827936-ddd3-7741-44f1-e025b8531c94",
      "servicePrincipalName": null
    }
  },
  "Level": "4",
  "Location": "",
  "LoggedByService": "Core Directory",
  "OperationName": "Update service principal",
  "OperationVersion": "1.0",
  "Resource": "Microsoft.aadiam",
  "ResourceGroup": "Microsoft.aadiam",
  "ResourceId": "/tenants/549d26cd-bcaa-6519-605d-95f3df900a23/providers/Microsoft.aadiam",
  "ResourceProvider": "",
  "Result": "success",
  "ResultDescription": "",
  "ResultReason": "",
  "ResultSignature": "None",
  "ResultType": "",
  "SourceSystem": "Azure AD",
  "TargetResources": [
    {
      "administrativeUnits": [],
      "displayName": "Microsoft Intune",
      "id": "118d65e1-1bee-e36c-462e-ac5b9744bec3",
      "modifiedProperties": [
        {
          "displayName": "Included Updated Properties",
          "newValue": "\"\"",
          "oldValue": null
        },
        {
          "displayName": "TargetId.ServicePrincipalNames",
          "oldValue": null
        }
      ],
      "type": "ServicePrincipal"
    }
  ],
  "TenantId": "77864e40-f565-a1e6-b392-641e166428f7",
  "TimeGenerated": "2025-08-11T23:46:40Z",
  "Type": "AuditLogs"
}