Forum Discussion
Solved
Export and Import Saved Queries and Functions from one Sentinel Workspace to Another
I have been getting so much value out of Azure Sentinel, custom log types, and custom functions to parse logs and make them easy to query in KQL (I have Sysmon, Suricata and Zeek among others). I've ...
rpargman You need to use the Log Analytics REST API to get access to those. Take a look at: https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches to get started
SocInABox just use JSON to serialise it:
export-searches.ps1 (./export-searches.ps1 myRG myWorkspace > searches.json)
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json
You can easily add, remove, update queries in the JSON file then:
import-searches.ps1 (./import-searches.ps1 myRG myWorkspace searches.json)
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$InputFile = $args[2]
foreach ($search in Get-Content $InputFile | ConvertFrom-Json) {
$id = $search.Category + "|" + $search.DisplayName
Write-Output "Importing $($search.DisplayName) ($($search.Category))"
New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}
pemontto , thanks again for your excellent queries.
Maybe someone can use these variations I made for my purpose:
Title: Scripts for House Cleaning your Saved Searches in Sentinel
./export-search.ps1<resource group> <workspace> > test.json
#export ALL saved searches
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json
./export-search-bycategories.ps1<resource group> <workspace> > test.json
#export only the saved search categories specified in the $Categories variable below.
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
# Only export saved queries from these categories - comma separated
$Categories = ("test")
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | Where-Object { $Categories -contains $_.Category }
|ConvertTo-Json
./import-searches.ps1 <resource group> <workspace> test.json
# use this to import after making your changes from the above export json
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$InputFile = $args[2]
foreach ($search in Get-Content $InputFile | ConvertFrom-Json) {
$id = $search.Category + "|" + $search.DisplayName
Write-Output "Importing $($search.DisplayName) ($($search.Category))"
New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}
./remove-searches.ps1 <resource group> <workspace> test.json
# use this to REMOVE saved searches
# note: if you remove the last saved search from a category it will automatically remove the category folder
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$InputFile = $args[2]
foreach ($search in Get-Content $InputFile | ConvertFrom-Json) {
$id = $search.Category + "|" + $search.DisplayName
Write-Output "Removing $($search.DisplayName) ($($search.Category))"
Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -debug
}
./remove-query.ps1 <resource group> <workspace> "<folder category>|<query name>"
# use this to remove a single query
# pro tip - you can NOT remove a category/folder but removing the last query will automatically remove the folder
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$query = $args[2]
Write-Output "Removing query: $query"
Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $query -debug