Log Analytics Query Packs are a new concept. These “packs” enable you to save your queries so that they are immediately deployable.
See Query packs in Azure Monitor – Azure Monitor | Microsoft Docs for details.
When you save your first query to the Query Packs service, a DefaultQueryPack is created. This is helpful, but you may determine you want a better definable Query Pack name for your organization. Or, you may want to separate different queries into different Query Packs based on a number of organizational factors.
You can do this. But, you first need create a custom Query Pack.
To accomplish this, access the Log Analytics Query Packs service and choosing to Create a new one.
The process is an easy one and one that is a familiar operation for anyone that has worked in Azure. Essentially, it just needs to capture the proper Azure Subscription, the Resource Group that will manage the resource (in this case, make it the same Resource Group where the Azure Sentinel resources reside), and give it an official name.
Once the new Query Pack has been created, it will now show up as an option when you want to save a query in Azure Sentinel (Save – Save as Log Analytics Query). However, the interface always defaults to the default DefaultQueryPack, so you have to make sure to uncheck the Save to the default query pack each time.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
2 thoughts on “How to Save an Azure Sentinel Query to a Custom Query Pack”
You must log in to post a comment.