In the Logs blade for Azure Sentinel, only a specific amount of history (30 days worth) of the executed queries is maintained in the results window. You may have run something recently, or semi-recently, that no longer exists in the list.
Of course, saving and categorizing queries is a solution to retain them. Additionally, you can save your queries to Query Packs. But, you can also utilize the LAQueryLogs table to locate any queries that have been run.
However, the LAQueryLogs table isn’t enabled by default in your Log Analytics workspace. To use LAQueryLogs data when auditing in Azure Sentinel, first enable the LAQueryLogs in your Log Analytics workspace’s Diagnostics settings area.
The length of time the queries are stored in the LAQueryLogs table depends on your Azure Sentinel data retention selection. This table follows the same rules as all the others.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.