Forum Discussion

rpargman's avatar
rpargman
Copper Contributor
Nov 19, 2020
Solved

Export and Import Saved Queries and Functions from one Sentinel Workspace to Another

I have been getting so much value out of Azure Sentinel, custom log types, and custom functions to parse logs and make them easy to query in KQL (I have Sysmon, Suricata and Zeek among others). I've ...
pemontto's avatar
pemontto
Brass Contributor
May 17, 2021

SocInABox just use JSON to serialise it:

 

export-searches.ps1 (./export-searches.ps1 myRG myWorkspace > searches.json)

 

$ResourceGroup =  $args[0]
$WorkspaceName =  $args[1]

(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json

 

 

 

You can easily add, remove, update queries in the JSON file then:

import-searches.ps1 (./import-searches.ps1 myRG myWorkspace searches.json)

 

$ResourceGroup =  $args[0]
$WorkspaceName =  $args[1]
$InputFile = $args[2]

foreach ($search in  Get-Content $InputFile | ConvertFrom-Json) {
    $id = $search.Category + "|" + $search.DisplayName
    Write-Output "Importing $($search.DisplayName) ($($search.Category))"
    New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}

 

 

 

 

SocInABox's avatar
SocInABox
Iron Contributor
Jun 21, 2021

pemontto , thanks again for your excellent queries.
Maybe someone can use these variations I made for my purpose:

 

Title:  Scripts for House Cleaning your Saved Searches in Sentinel

./export-search.ps1<resource group> <workspace> > test.json

#export ALL saved searches

$ResourceGroup =  $args[0]
$WorkspaceName =  $args[1]

(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json

 

./export-search-bycategories.ps1<resource group> <workspace> > test.json

#export only the saved search categories specified in the $Categories variable below.

$ResourceGroup =  $args[0]

$WorkspaceName =  $args[1]

# Only export saved queries from these categories - comma separated

$Categories = ("test")

(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | Where-Object { $Categories -contains $_.Category }

|ConvertTo-Json

 

./import-searches.ps1 <resource group> <workspace> test.json

# use this to import after making your changes from the above export json

$ResourceGroup =  $args[0]

$WorkspaceName =  $args[1]

$InputFile = $args[2]

foreach ($search in  Get-Content $InputFile | ConvertFrom-Json) {

    $id = $search.Category + "|" + $search.DisplayName

    Write-Output "Importing $($search.DisplayName) ($($search.Category))"

    New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version

}

 

./remove-searches.ps1 <resource group> <workspace>  test.json

# use this to REMOVE saved searches

# note: if you remove the last saved search from a category it will automatically remove the category folder

$ResourceGroup =  $args[0]

$WorkspaceName =  $args[1]

$InputFile = $args[2]

foreach ($search in  Get-Content $InputFile | ConvertFrom-Json) {

    $id = $search.Category + "|" + $search.DisplayName

    Write-Output "Removing $($search.DisplayName) ($($search.Category))"

    Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -debug

}

 

./remove-query.ps1 <resource group> <workspace> "<folder category>|<query name>"

# use this to remove a single query

# pro tip - you can NOT remove a category/folder but removing the last query will automatically remove the folder

$ResourceGroup =  $args[0]

$WorkspaceName =  $args[1]

$query =  $args[2]

 Write-Output "Removing query: $query"

Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $query -debug

Resources