> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tracecat.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Azure Log Analytics

> Reference for the Tracecat Azure Log Analytics integration: registered actions, required secrets, expected inputs, and example workflow usage.

## Execute cross-workspace KQL query

Action ID: `tools.azure_log_analytics.execute_cross_workspace_kql_query`

Execute a KQL query across multiple Log Analytics workspaces for federated Azure Log Analytics queries.

Reference: [https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1](https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1)

### Secrets

Optional secrets:

* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_USER_TOKEN`.
* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_SERVICE_TOKEN`.

### Input fields

<ParamField path="additional_workspaces" type="array[string]" required>
  List of additional workspace IDs to query.
</ParamField>

<ParamField path="query" type="string" required>
  KQL query to execute across workspaces.
</ParamField>

<ParamField path="workspace_id" type="string" required>
  Primary Log Analytics workspace ID (GUID).
</ParamField>

<ParamField path="base_url" type="string">
  Base URL for the Azure Log Analytics API.

  Default: `"https://api.loganalytics.io"`.

  Allowed values: `https://api.loganalytics.io`, `https://api.loganalytics.us`.
</ParamField>

<ParamField path="timespan" type="string | null">
  ISO8601 time period to limit query results (e.g., "P7D" for 7 days).

  Default: `null`.
</ParamField>

## Execute KQL query

Action ID: `tools.azure_log_analytics.execute_kql_query`

Execute a KQL query against Azure Log Analytics workspace.

Reference: [https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1](https://learn.microsoft.com/en-us/rest/api/logsquery/query/execute?view=rest-logsquery-v1)

### Secrets

Optional secrets:

* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_USER_TOKEN`.
* `azure_log_analytics_oauth`: OAuth token `AZURE_LOG_ANALYTICS_SERVICE_TOKEN`.

### Input fields

<ParamField path="query" type="string" required>
  KQL query to execute (e.g., "SecurityIncident | take 10").
</ParamField>

<ParamField path="workspace_id" type="string" required>
  Log Analytics workspace ID (GUID).
</ParamField>

<ParamField path="base_url" type="string">
  Base URL for the Azure Log Analytics API.

  Default: `"https://api.loganalytics.io"`.

  Allowed values: `https://api.loganalytics.io`, `https://api.loganalytics.us`.
</ParamField>

<ParamField path="timespan" type="string | null">
  ISO8601 time period to limit query results (e.g., "P7D" for 7 days, "PT1H" for 1 hour).

  Default: `null`.
</ParamField>