> For the complete documentation index, see [llms.txt](https://docs.dropzone.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.dropzone.ai/integrations/data/ms_data/azure-data-explorer.md). # Azure Data Explorer The Dropzone platform integrates with [Azure Data Explorer](https://learn.microsoft.com/en-us/azure/data-explorer/data-explorer-overview) (Kusto) so analysts can investigate organization-specific logs and telemetry that may not exist in Sentinel or Defender. Dropzone uses your Microsoft Entra service principal to authenticate to one or more ADX clusters, discover available databases and tables, and execute read-only KQL queries. The ADX scanner builds table metadata (descriptions, fields, and query guidance) so the assistant can choose relevant tables and generate better queries. ## Integration Overview To enable these integrations you will perform the following actions: * Register a new application in Microsoft Entra Admin Center * Locate your Client ID, Tenant ID, and create a Client Secret * Assign Azure Data Explorer permissions for your service principal * Collect your ADX Cluster URL(s) * Install the credentials into your Dropzone tenant * Run the scanner to discover ADX tables and schemas See the [Microsoft Integrations](/integrations/data/ms_data.md) page for instructions on how to register a new application, locate your Client ID and Tenant ID, and create a Client Secret. {% hint style="info" %} When registering the application, set the "Supported account types" to "Accounts in this organizational directory only" and leave "Redirect URI" blank. No Microsoft Graph API permissions are required for this integration. {% endhint %} ## Assign Azure Data Explorer Permissions Your application must have read access to the ADX databases you want Dropzone to query. You may use a [Kusto management command](https://learn.microsoft.com/en-us/kusto/management/?view=microsoft-fabric) to grant access. See [here](https://learn.microsoft.com/en-us/kusto/access-control/provision-entra-id-app?view=azure-data-explorer\&tabs=portal#grant-a-service-principal-access-to-the-database:~:text=Add%20permissions.-,Grant,-a%20service%20principal) for more information. {% hint style="info" %} Example management commands (run by an ADX admin): ``` .add cluster allDatabases viewers ('aadapp=;') .add database [''] viewers ('aadapp=;') ``` {% endhint %} Alternatively, you may use [the Microsoft Azure portal](https://portal.azure.com) to assign access to each database manually. For each Azure Data Explorer cluster you want Dropzone to be able to access, do the following: * As someone with Role-Based Action Control (e.g. as an Owner or User Access Administrator), navigate to [your Azure portal](https://portal.azure.com) * Open your Azure Data Explorer cluster * In the left hand side bar, navigate to Security + networking > Permissions

Click "Permissions"

* Click "Add" * Select the "AllDatabasesViewer" role
* In the "New Principles" section, add the application you just created

Assign the role to your application

* Click "Select"
Repeat for each cluster you will use. For each database within the Azure Data Explorer clusters you want Dropzone to access, do the following: * In the Overview section of your cluster, under "Database," select the database you want Dropzone to access

Select your database

* In the left hand side bar, click "Permissions" * Click "Add"

Add Permissions

* In the "New Principles" section, add the application you just created
* Click "Select"
Repeat for each database you will use. ## Locate your ADX Cluster URL(s) Dropzone can connect to one or more ADX clusters. To collect a cluster URL, do the following: * In the left sidebar of your [Azure Data Explorer](https://dataexplorer.azure.com/) page, open the desired cluster
* In the Cluster details section, copy the Cluster URL for use later in the Dropzone UI where it is called "Cluster URL"
Repeat for each cluster you want Dropzone to query ## Enable Azure Data Explorer To enable the Data Source integration, you will need the following information: | Dropzone Field | Source | | -------------- | -------------------------------------- | | Tenant ID | The Directory ID copied earlier | | Client ID | The Application ID copied earlier | | Client Secret | The Client Secret Value copied earlier | | Cluster URL | The Cluster URLs copied earlier | To enable the Data Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom right corner, navigate to Settings > Integrations

Integrations Dropdown

* Click "Available"

Click Available

* In the Search bar, search Azure Data Explorer, then click "Configure"

The Azure Data Explorer Tile

* Input the Client ID, Tenant ID, and Client Secret

The Azure Data Source Explorer Configuration (pt 1)

* Under Cluster Configuration, click "Add Item" and input at least one Cluster URL

The Azure Data Source Explorer Configuration (pt 2)

* Input your desired timeout for queries (in minutes)

The Azure Data Source Explorer Configuration (pt 3)

* Click "Test & Save" to finish After saving, run the integration's test connection (or validation) to confirm credentials and permissions. If you use the Azure scanner, run the scanner for this integration so that workspaces and table schemas are discovered. The integration will then use those workspaces for Log Analytics queries. If you have any errors, contact your Dropzone AI support representative. ## Troubleshooting | Symptom | Check | | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | "Credentials are incomplete" or auth errors | Verify Tenant ID, Client ID, and Client Secret; ensure the secret has not expired. | | "Failed to list resource groups" | Ensure Reader is assigned on that subscription; role assignment can take a few minutes to propagate. | | "Failed to query Azure Log Analytics" or 403 on workspace query | Ensure Log Analytics Reader is assigned on that specific workspace; confirm the workspace ID in config matches the workspace. | | Activity log query fails | Ensure Reader is assigned on the subscription (subscription-level Activity Log is covered by Reader). | --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.dropzone.ai/integrations/data/ms_data/azure-data-explorer.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.