Using a non-Sentinel Log Analytics Workspace with Copilot for Security
Non-Sentinel customers? How is that possible?
This tidbit is for those that are not Microsoft Sentinel customers (they really do exist) but would still like to take advantage of the many logs provided in Azure to expand Copilot for Security’s knowledge.
In the past, you’ve seen me develop and detail various Copilot for Security plugins that use the Microsoft Sentinel Log Analytics workspace (LAW) to process KQL queries. You can find all of those in the Plugins directory of my GitHub repo: https://github.com/rod-trent/Copilot-for-Security/tree/main/Plugins
It’s easy for me to just sidecar the Sentinel LAW because I maintain a big demo environment. But for those that don’t maintain a Sentinel environment here’s the process of using a separate LAW.
1- Create a New LAW
In the Azure portal, create a new Log Analytics workspace. This is the location where you will store tables of rows and columns of data that can be queried using KQL. Take note of the Resource Group and instance Name. You’ll need this to create your own Copilot for Security plugin.
Note that when you provision a new LAW, the following tables (in the image) are available by default.
2 - Connect Logs
Each service in Azure has a Monitoring option called “Diagnostic Settings.” Locate the service you want to use to connect its logs to the new LAW and locate the Diagnostics Settings option.
In my example below, I’m connecting the Diagnostic Setting for Entra ID which includes tons of worthwhile log files.
Checkmark the logs you want to connect and then in the Destination Details choose Sent to Log Analytics workspace and supply the name of the LAW you created earlier.
Be patient. It can take up to 30 minutes after creating the Diagnostic Setting for the tables for the selected service to show up in the new LAW.
3 - Creating the Custom Plugin
You can use the following as a template to create your own Copilot for Security custom plugin. For your own plugin, though, just replace all the items in bold with your information, noting that
Descriptor:
Name: StandaloneLAW
DisplayName: Standalone-LAW
Description: Querying a standalone Log Analytics Workspace
SkillGroups:
- Format: KQL
Skills:
- Name: StandaloneLAW
DisplayName: Standalone-LAW
Description: Querying a standalone Log Analytics Workspace
Settings:
TenantId: <your_tenant_ID>
SubscriptionId: <your_subscription_ID>
ResourceGroupName: <your_RG_name>
WorkspaceName: <your_WS_name>
Template: |-
AADNonInteractiveUserSignInLogs | where TimeGenerated > ago(24h) | where ResourceDisplayName == "Microsoft Graph" and AppDisplayName == "Medeina Service" | extend city_ = tostring(parse_json(LocationDetails).city) | extend countryOrRegion_ = tostring(parse_json(LocationDetails).countryOrRegion) | extend state_ = tostring(parse_json(LocationDetails).state) | project TimeGenerated, OperationName, Category, Identity, AppDisplayName, city_, countryOrRegion_, state_An example of the output…
How is this template different the ones I created that uses the Microsoft Sentinel LAW?
Compare the following with the template above and look what is missing…
Target: Sentinel
TenantId: <your_tenant_ID>
SubscriptionId: <your_subscription_ID>
ResourceGroupName: <your_RG_name>
WorkspaceName: <your_WS_name>The Standalone LAW template is also available here: https://github.com/rod-trent/Copilot-for-Security/blob/main/Plugins/Standalone_LAW_Template.yaml
To install this in your own Copilot for Security instance, see: Add custom plugins
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[ Subscribe to the Bi-weekly Copilot for Security Newsletter]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]