Is there a way to pull sentinel query history for a user.

Copper Contributor

How to get the user query history for an user, can it be possible to see what query run by a user or can we create any rule for this in Azure Sentinel. I can see the query run by myself in history, but if i want to audit the queries run by any user  in sentinel ,if this possible in sentinel and if possible how it will be done.

5 Replies

@Pinku1725 Got the same question from our data privacy officer the other day. Didn't find a way to audit query history. Is sort of a valid point given the huge amount of data that's available in a workspace.

@Pinku1725 That data is stored somewhere since you can see your query history when you go into the Logs page, unfortunately I have no idea where it is stored.  I did not find anything in the logs that seems like it would store it nor is there anything in the REST API for it.  I did find a reference to: https://portal.loganalytics.io/api/userHistoryQueries  when looking at the Developer's Tools so that could be a good place to start (although you can clear this out so it is not a good permanent record)

 

I would suggest adding a suggestion to https://feedback.azure.com/forums/920458-azure-sentinel to try to get this feature added.

Thank you very for your suggestion Gary @Gary Bushey 

hHello @Pinku1725 

 

“expect a preview soon” is all I can say for now,  Thanks Clive