How to setup KQLMagic easy

Python 1 Minute

Even this is written in one of the connection examples, it wasn’t clear to me there is a really easy way of authenticating to Log Analytics using KQLMagic.

This option can be used when you want to have a browser popup appear for the user to sign in to Log Analytics, showing an AAD login form. From this interactive popup, KQLMagic will receive the tokens necessary to Query the configured Log Analytics  Workspace on behalf of the user.

I will explain using VisualStudio Code from which I send python script to a dockerhost running jupyter, the python script will be the same no matter if you use this directly in your scipy notebook or remote.

Setup:

#%%
!pip install Kqlmagic --no-cache-dir --upgrade
#%%
tenantID='a87101d0-71e5-40d5-829e-cf14f5cbe9de'
workspaceID='88e4dd19-caa6-4a38-a2e2-506488c113df'
#%%
%env KQLMAGIC_CONNECTION_STR=loganalytics://code;tenant="$tenantID";workspace="$workspaceID"
view raw Setup-EasyKQLMagic.py hosted with ❤ by GitHub
  1. The first line installs the KQLMagic module into Python.
  2. Second we configure the variables that will help build the connectionstring for KQLMagic. These are the ids for my private environment, you need to replace these with yours. (see quicktips below)
  3. Last the connectionstring will be saved to an environment variable that KQLMagic automatically loads on start.

Notice the “…loganalytics://code;….”
The keyword code in the connectionstring will instruct KQLMagic to authenticate using device code (using ADAL).

Reload

#%%
%reload_ext Kqlmagic
view raw Load-EasyKQLMagic.py hosted with ❤ by GitHub

This will reload the extension so KQLMagic joins in the game!

Screenshot 2019-10-18 at 16.58.46

Query

#%%
%kql AzureActivity | where Caller contains "maurice" | where TimeGenerated > ago(12h) | project TimeGenerated, OperationName, ActivityStatus, CallerIpAddress
view raw Query-EasyKQLMagic.py hosted with ❤ by GitHub

Screenshot 2019-10-18 at 16.21.26

Now, in my situation the “Copy code…” button does not work. I have to copy the device code manually and open https://microsoft.com/devicelogin myself and paste the code.

After this you have to enter credentials for the Log Analytics Workspace.

If you have successfully been authenticated the query will run.

 

Screenshot 2019-10-18 at 17.11.31

Quicktips:

tenant id: navigate to https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties the value of Directory ID is your tenant id
Screenshot 2019-10-18 at 16.47.50

workspace id: navigate to https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.OperationalInsights%2Fworkspaces and select your workspace you wish to query, in the workspace essentials on the right collumn you can find the workspace id.

Published by Maurice de Jong

Consultant at Wortel Enterprise Security

Published

One thought on “How to setup KQLMagic easy

  1. Pingback: How to authenticate Python interactively to Microsoft Azure – MCP for life

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.