Azure Monitor Source Node
Quick Reference
Workspace ID
The Log Analytics workspace ID to query.
ex: a1b2c3d4-e5f6-7890-abcd-ef1234567890
Tenant ID
Azure Active Directory tenant ID.
ex: a1b2c3d4-e5f6-7890-abcd-ef1234567890
KQL Query
The Kusto Query Language (KQL) query to run against the workspace.
ex: SecurityEvent | where EventID == 4625 | take 100
Use Credentials Azure Service Principal credential (client ID and secret) for authentication.
Batch Size
Maximum number of rows returned per query execution.
ex: 1000
Overview
The Azure Monitor Source node queries Azure Monitor (Log Analytics / Azure Sentinel) using KQL and emits each result row as an record. It enables security and observability workflows that consume log data from Azure workspaces, including threat detection pipelines built on Microsoft Sentinel.
Configuration
| Field | Description | Required | Default |
|---|---|---|---|
| Workspace ID | The Log Analytics workspace ID to query. | Yes | — |
| Tenant ID | Azure Active Directory tenant ID associated with the workspace. | Yes | — |
| KQL Query | The Kusto Query Language (KQL) query to run against the workspace. | Yes | — |
| Use Credentials | Select or create a credential for authentication. | Yes | — |
| Batch Size | Maximum number of rows returned per query execution. Must be at least 1. | No | 1000 |
Related Nodes
- Azure Monitor Sink: Forward pipeline records to Azure Monitor Logs via the Ingestion API
- Elasticsearch Source: Query an Elasticsearch index and emit each hit as an record