Azure Monitor Source Node
The azuremonitorsource node queries Azure Monitor Log Analytics workspaces using KQL and emits each result row as a pipeline record.
The source is compatible with Azure Sentinel (Microsoft Sentinel) workspaces and supports Service Principal authentication or the default Azure credential chain. Each row returned by the KQL query becomes one record in the pipeline.
Key Features
- KQL queries: run any Kusto Query Language expression against a Log Analytics workspace
- Azure Sentinel compatibility: works with Microsoft Sentinel workspaces without additional configuration
- Service Principal authentication: authenticates with Azure Service Principal credentials (client ID / client secret) supplied as a username/password credential
- Configurable batch size: limit the number of rows returned per query execution via
batchSize
Configuration
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
workspaceId | String | Yes | — | Log Analytics workspace ID to query |
tenantId | String | Yes | — | Azure Active Directory tenant ID |
kqlQuery | String | Yes | — | Kusto Query Language (KQL) query to run against the workspace |
credentialId | String | Yes | — | ID of Azure Service Principal credentials (username/password) in jobContext.otherProperties |
batchSize | int | No | 1000 | Maximum rows returned per query execution (must be at least 1) |
KQL Query Tips
KQL queries can filter by time range, severity, or any field available in the target table. A typical security-focused query:
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventLevelName == "Error"
| project TimeGenerated, Computer, Activity
Key tips:
- Always scope queries with a
TimeGeneratedfilter to avoid scanning the entire table - Use
projectto return only the fields needed downstream — this reduces record payload size - The
batchSizefield caps the number of rows returned; add| top N by TimeGenerated descinside the query to control ordering before the limit is applied
DAG Example
jobContext:
otherProperties:
azure-cred:
username: my-client-id
password: my-client-secret
metricTags: {}
dlqConfig:
dag:
- id: "source"
commandName: "azuremonitorsource"
config:
workspaceId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
tenantId: "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"
kqlQuery: "SecurityEvent | where TimeGenerated > ago(1h) | where EventLevelName == 'Error' | project TimeGenerated, Computer, Activity"
credentialId: "azure-cred"
batchSize: 1000
outputs:
- "sink"
- id: "sink"
commandName: "stdout"
config:
encodingType: "JSON_OBJECT"
Related Nodes
- azuremonitorsink: Forward pipeline records to Azure Monitor Logs via the Ingestion API
- elasticsearchsource: Query an Elasticsearch index and emit each hit as an record