Log Explorer

The Log Explorer page lets authenticated users run Kusto Query Language (KQL) queries against the Log Analytics workspace that backs your VaultGuard360 deployment — without needing direct Azure portal access or Log Analytics RBAC roles.

How It Works

The Log Explorer sends your KQL query to the Function App, which proxies the request to Log Analytics using its managed identity. You never need direct workspace access — the Function App handles authentication on your behalf.

Security constraints applied server-side:

• Results are limited to 1,000 rows per query
• Dangerous management commands are blocked (.set, .drop, .alter, and similar DDL operations)
• The workspace GUID is never exposed to the client
• All queries are scoped to your workspace only

Sample KQL Queries

Recent Scan Activity

AppTraces
| where TimeGenerated > ago(7d)
| where Message contains "scan"
| project TimeGenerated, Message, SeverityLevel
| order by TimeGenerated desc
| take 50

Notification Delivery History

AppTraces
| where TimeGenerated > ago(30d)
| where Message contains "notification" or Message contains "email" or Message contains "webhook"
| project TimeGenerated, Message, SeverityLevel, Properties
| order by TimeGenerated desc

Failed Operations

AppExceptions
| where TimeGenerated > ago(24h)
| project TimeGenerated, ExceptionType, InnermostMessage, ProblemId
| order by TimeGenerated desc
| take 100

HTTP Request Log (Access Audit)

AppRequests
| where TimeGenerated > ago(7d)
| where Url !contains "/api/health"
| project TimeGenerated, Url, ResultCode, DurationMs, ClientIP
| order by TimeGenerated desc

Configuration Changes

AppTraces
| where TimeGenerated > ago(90d)
| where Message contains "config" or Message contains "settings" or Message contains "route"
| where SeverityLevel >= 3
| project TimeGenerated, Message, Properties
| order by TimeGenerated desc

Items Expiring Within 7 Days (Last Scan)

AppTraces
| where TimeGenerated > ago(24h)
| where Message contains "critical" or Message contains "expired"
| project TimeGenerated, Message, Properties
| order by TimeGenerated desc
| take 200

Scan Duration Trend

AppTraces
| where TimeGenerated > ago(30d)
| where Message contains "scan completed"
| extend duration = extract("duration: (\\d+)", 1, Message)
| project TimeGenerated, duration
| order by TimeGenerated asc

Exporting to CSV

Query results can be exported to CSV for use in compliance evidence packages, incident reports, or further analysis in Excel or a SIEM.

1. Run your KQL query in the Log Explorer
2. Review the results in the table view
3. Click Export to CSV
4. The download includes all columns and up to 1,000 rows from the result set

Note: If your compliance requirement needs more than 1,000 rows, run the query directly in the Azure portal's Log Analytics interface where you have direct workspace access, or use the Azure Monitor REST API.

Application Insights Integration

VaultGuard360's Function App sends telemetry to Application Insights, which feeds into the same Log Analytics workspace. The primary telemetry tables are:

All tables share the same TimeGenerated timestamp and can be joined using OperationId for end-to-end request tracing.

Correlation ID Tracing

Each scan and API request carries a correlation ID. To trace all events for a specific scan:

let correlationId = "<paste-correlation-id-here>";
union AppTraces, AppRequests, AppDependencies, AppExceptions
| where OperationId == correlationId
| project TimeGenerated, itemType, Message, Url, ResultCode
| order by TimeGenerated asc

Accessing the Log Explorer

Navigate to Dashboard → Log Explorer in the sidebar. The page is available to all authenticated users. No additional RBAC roles are required — the Function App proxies all queries using its own managed identity.

Enterprise note: On Enterprise deployments with AMPLS (Azure Monitor Private Link Scope), the Function App reaches Log Analytics through the private endpoint via VNet integration. The Log Explorer works identically — the private routing is transparent to the user.