Forum Discussion

Copper Contributor

May 06, 2020

Is there a way to pull sentinel query history for a user.

How to get the user query history for an user, can it be possible to see what query run by a user or can we create any rule for this in Azure Sentinel. I can see the query run by myself in history, b...

GaryBushey

Bronze Contributor

May 06, 2020

Pinku1725 That data is stored somewhere since you can see your query history when you go into the Logs page, unfortunately I have no idea where it is stored. I did not find anything in the logs that seems like it would store it nor is there anything in the REST API for it. I did find a reference to: https://portal.loganalytics.io/api/userHistoryQueries when looking at the Developer's Tools so that could be a good place to start (although you can clear this out so it is not a good permanent record)

I would suggest adding a suggestion to https://feedback.azure.com/forums/920458-azure-sentinel to try to get this feature added.

Pinku1725
Copper Contributor
May 06, 2020
Thank you very for your suggestion Gary GaryBushey
- CliveWatson
  Former Employee
  May 07, 2020
  hHello Pinku1725
  
  “expect a preview soon” is all I can say for now, Thanks Clive
  - CliveWatson
    Former Employee
    Sep 25, 2020
    Pinku1725
    
    https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/query-audit
    
    https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/laquerylogs