I’ve talked recently about how to use the cool new feature of Query Packs to save your Azure Sentinel queries for longer term. Query history is only save for 30 days, despite the 90-day retention offering for other Azure Sentinel data. So, its good to make use of the Query Packs or the general Save function in the Azure Sentinel UI to make sure your best queries aren’t lost.
However, there’s another, KQL-centric method to accomplish this and save your query history externally for those folks like me that like the have backups of my backups.
LAQueryLogs is the table that contains the history of the queries that have been created and run. The following query pulls query history from the last 30 days (again, the storage limit for queries) and delivers just the queries themselves in the results.
LAQueryLogs
| where TimeGenerated >= (30d)
| project QueryTextOnce you have the results, use the Export function in the UI and choose the option for just displayed columns.
The following is an example of the resulting CSV. All the queries are neatly stored and in proper order.
Don’t have the LAQueryLogs table in your workspace. See: How to Enable the LAQueryLogs Table for Azure Sentinel
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.