Injecting data from Azure Functions to Log Analytics queries via Azure Monitor Workbooks

Use case

Azure monitor workbooks has a great feature available to populate parameters with queries based on various data sources. One of such options, is using the custom endpoint, which allows you to bring data into Log Analytics Queries, that would otherwise not be available in any of the tables of Log Analytics; Or if you want to include data only for the query on-demand, not to be stored as table in log analytics permanently.

Examples

One of the examples is, getting Azure AD Role data ad-hoc, to enrich Azure AD Sign-in logs, with role information of the user (small project log available Project Log 0 : Monitor logins by accounts assigned Azure AD roles)

Inject data from function to workbook param

• Azure Monitor Workbook calls Azure Function for the role data to be fetched from Graph API

• Response from Azure Function is injected into KQL datatable with the dynamic keyword

//Inject data from Azure Function to Log Analytics query
datatable (injected: dynamic ) [
    dynamic({admins})] 
    | mv-expand injected 
    | extend admin = parse_json(injected) | project upn =  tolower(tostring(admin['userPrincipalName'])), role = admin['role']
  | summarize make_set(role) by upn;

Settings for documentation

• Azure Function should return content-type ’application/json’ for the use case described here (result format is still content, as KQL does the parsing with json_parse()

• Azure Function has to have CORS enabled for the Log Analytics as caller
  • Access-Control-Allow-Origin: https://portal.azure.com

• Azure Function should be limited to the IP’s of the caller (The user of the workbook)
  • Call is made from client-side JS, so the function always sees the IP of the caller, not the IP of Microsoft Back-end

Mapping JSON to multi-value picker

While my example let’s the parsing be done by the KQL query, you can also for other use cases parse the parameters to individual values based on results of custom endpoint