Execute cross-workspace KQL query
Action ID:tools.azure_log_analytics.execute_cross_workspace_kql_query
Execute a KQL query across multiple Log Analytics workspaces for federated Azure Log Analytics queries.
Reference: https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/execute
Secrets
Optional secrets:azure_log_analytics_oauth: OAuth tokenAZURE_LOG_ANALYTICS_USER_TOKEN.azure_log_analytics_oauth: OAuth tokenAZURE_LOG_ANALYTICS_SERVICE_TOKEN.
Input fields
List of additional workspace IDs to query.
KQL query to execute across workspaces.
Primary Log Analytics workspace ID (GUID).
Base URL for the Azure Log Analytics API.Default:
"https://api.loganalytics.io".Allowed values: https://api.loganalytics.io, https://api.loganalytics.us.ISO8601 time period to limit query results (e.g., “P7D” for 7 days).Default:
null.Execute KQL query
Action ID:tools.azure_log_analytics.execute_kql_query
Execute a KQL query against Azure Log Analytics workspace.
Reference: https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/execute
Secrets
Optional secrets:azure_log_analytics_oauth: OAuth tokenAZURE_LOG_ANALYTICS_USER_TOKEN.azure_log_analytics_oauth: OAuth tokenAZURE_LOG_ANALYTICS_SERVICE_TOKEN.
Input fields
KQL query to execute (e.g., “SecurityIncident | take 10”).
Log Analytics workspace ID (GUID).
Base URL for the Azure Log Analytics API.Default:
"https://api.loganalytics.io".Allowed values: https://api.loganalytics.io, https://api.loganalytics.us.ISO8601 time period to limit query results (e.g., “P7D” for 7 days, “PT1H” for 1 hour).Default:
null.