A bit ago, I talked about How to Save an Azure Sentinel Query to a Custom Query Pack. This gives Azure Sentinel users another option for saving queries for the long term.
But, once the queries have been saved to a custom query pack, how do you access them?
Here’s how…
In the Logs blade in Azure Sentinel, click to switch to the Queries tab and then click the vertical ellipses next to the Search field to choose the Select Query Packs option.
On the next screen that’s presented, locate your custom query pack in the list and enable it with checkmark.
Fortunately, you only have to perform this procedure once. Next time you go into the Azure portal, your choice is retained.
With your custom query pack enabled and back on the Logs blade, click the Queries option in the top right. Then, change the query filter dropdown to Query Type.
Now, with the display adjusted, Query pack queries is an option and your saved queries will be available to access.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.