Is there a way to pull sentinel query history for a user.

Question

How to get the user query history for an user, can it be possible to see what query run by a user or can we create any rule for this in Azure Sentinel. I can see the query run by myself in history, but if i want to audit the queries run by any user&nbsp; in sentinel ,if this possible in sentinel and if possible how it will be done.

mclaes · Answer

Pinku1725&nbsp;Got the same question from our data privacy officer the other day. Didn't find a way to audit query history. Is sort of a valid point given the huge amount of data that's available in a workspace.

garybushey · Answer

Pinku1725&nbsp;That data is stored somewhere since you can see your query history when you go into the Logs page, unfortunately I have no idea where it is stored.&nbsp; I did not find anything in the logs that seems like it would store it nor is there anything in the REST API for it.&nbsp; I did find a reference to:&nbsp;https://portal.loganalytics.io/api/userHistoryQueries&nbsp; when looking at the Developer's Tools so that could be a good place to start (although you can clear this out so it is not a good permanent record)&nbsp;I would suggest adding a suggestion to&nbsp;https://feedback.azure.com/forums/920458-azure-sentinel&nbsp;to try to get this feature added.

pinku1725 · Answer

Thank you very for your suggestion Gary GaryBushey&nbsp;

clivewatson · Answer

hHello&nbsp;Pinku1725&nbsp;
&nbsp;
“expect a preview soon” is all I can say for now,&nbsp; Thanks Clive&nbsp;

clivewatson · Answer

Pinku1725&nbsp;
&nbsp;
https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit
https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/laquerylogs
&nbsp;

Forum Discussion

Is there a way to pull sentinel query history for a user.

5 Replies

Resources