SOLVED

Export and Import Saved Queries and Functions from one Sentinel Workspace to Another

%3CLINGO-SUB%20id%3D%22lingo-sub-1910930%22%20slang%3D%22en-US%22%3EExport%20and%20Import%20Saved%20Queries%20and%20Functions%20from%20one%20Sentinel%20Workspace%20to%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1910930%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20been%20getting%20so%20much%20value%20out%20of%20Azure%20Sentinel%2C%20custom%20log%20types%2C%20and%20custom%20functions%20to%20parse%20logs%20and%20make%20them%20easy%20to%20query%20in%20KQL%20(I%20have%20Sysmon%2C%20Suricata%20and%20Zeek%20among%20others).%20I've%20spent%20a%20lot%20of%20time%20creating%20and%20fine-tuning%20saved%20queries%20and%20functions%20in%20one%20workspace%2C%20and%20now%20I'd%20like%20to%20easily%20export%20all%20of%20those%20saved%20queries%20and%20functions%20into%20another%20workspace.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20much%20of%20Sentinel%20is%20built%20on%20APIs%2C%20it%20seems%20like%20there%20should%20be%20a%20programatic%20way%20to%20export%20these%20into%20a%20json%20structure%20(or%20something)%20and%20then%20import%20those%20into%20another%20workspace%2C%20but%20I%20can't%20find%20it%20in%20the%20documentation.%20I%20know%20that%20I%20can%20take%20these%20one%20at%20a%20time%2C%20copy%20and%20paste%20from%20one%20workspace%20into%20another.%20That%20would%20be%20OK%20with%20one%20or%20two%20custom%20functions%2C%20but%20I%20have%20over%2030.%20I'd%20like%20to%20automate%20this%20if%20possible.%20Does%20anyone%20know%20a%20way%20to%20get%20that%20done%3F%20I'm%20comfortable%20with%20writing%20custom%20code%20if%20needed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1912974%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20and%20Import%20Saved%20Queries%20and%20Functions%20from%20one%20Sentinel%20Workspace%20to%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1912974%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875348%22%20target%3D%22_blank%22%3E%40rpargman%3C%2FA%3E%26nbsp%3BYou%20need%20to%20use%20the%20Log%20Analytics%20REST%20API%20to%20get%20access%20to%20those.%26nbsp%3B%20Take%20a%20look%20at%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Floganalytics%2Fsavedsearches%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Floganalytics%2Fsavedsearches%3C%2FA%3E%26nbsp%3B%20to%20get%20started%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1913052%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20and%20Import%20Saved%20Queries%20and%20Functions%20from%20one%20Sentinel%20Workspace%20to%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1913052%22%20slang%3D%22en-US%22%3EThank%20you!%20That%20Log%20Analytics%20API%20is%20amazing.%20I%20didn't%20realize%20that%20it%20could%20get%20the%20queries%2C%20too.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1942479%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20and%20Import%20Saved%20Queries%20and%20Functions%20from%20one%20Sentinel%20Workspace%20to%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1942479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F875348%22%20target%3D%22_blank%22%3E%40rpargman%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3A%26nbsp%3B%20the%26nbsp%3B%3CSPAN%20data-preserver-spaces%3D%22true%22%3Epowershell%20cmdlets%20might%20be%20an%20easier%20start%20than%20the%20API%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.operationalinsights%2Fnew-azoperationalinsightssavedsearch%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ecreate%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.operationalinsights%2Fremove-azoperationalinsightssavedsearch%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eremove%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.operationalinsights%2Fget-azoperationalinsightssavedsearch%3Fview%3Dazps-4.3.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eget%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1942533%22%20slang%3D%22en-US%22%3ERe%3A%20Export%20and%20Import%20Saved%20Queries%20and%20Functions%20from%20one%20Sentinel%20Workspace%20to%20Another%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1942533%22%20slang%3D%22en-US%22%3EOh%20thank%20you!%20I'll%20check%20those%20out%2C%20too.%20I%20appreciate%20the%20tip.%3C%2FLINGO-BODY%3E
New Contributor

I have been getting so much value out of Azure Sentinel, custom log types, and custom functions to parse logs and make them easy to query in KQL (I have Sysmon, Suricata and Zeek among others). I've spent a lot of time creating and fine-tuning saved queries and functions in one workspace, and now I'd like to easily export all of those saved queries and functions into another workspace.

 

So much of Sentinel is built on APIs, it seems like there should be a programatic way to export these into a json structure (or something) and then import those into another workspace, but I can't find it in the documentation. I know that I can take these one at a time, copy and paste from one workspace into another. That would be OK with one or two custom functions, but I have over 30. I'd like to automate this if possible. Does anyone know a way to get that done? I'm comfortable with writing custom code if needed.

5 Replies
Best Response confirmed by rpargman (New Contributor)
Solution

@rpargman You need to use the Log Analytics REST API to get access to those.  Take a look at: https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches  to get started

Thank you! That Log Analytics API is amazing. I didn't realize that it could get the queries, too.

@rpargman , @Gary Bushey :  the powershell cmdlets might be an easier start than the API: createremoveget

Oh thank you! I'll check those out, too. I appreciate the tip.

@rpargmanI had to do this the other day

 

# Get-AzContext -ListAvailable
# Set the source workspace
Set-AzContext -Subscription "<Source Subscription>"
$ResourceGroup = "<Source RG>"
$WorkspaceName = "<Source WorkSpace"

# Only export saved queries from these categories
$Categories = ("sec", "usage", "proxy", "win", "o365")

$ExportedSearches = (Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | Where-Object { $Categories -contains $_.Category }

# Set the destination workspace
Set-AzContext -Subscription "<Dest Subscription>"
$ResourceGroup = "<Dest RG>"
$WorkspaceName = "<Dest WorkSpace"

# Import Saved Searches
foreach ($search in $ExportedSearches) {
    $id = $search.Category + "|" + $search.DisplayName
    New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}