Is there a way to pull sentinel query history for a user.

%3CLINGO-SUB%20id%3D%22lingo-sub-1362156%22%20slang%3D%22en-US%22%3EIs%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362156%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20to%20get%20the%20user%20query%20history%20for%20an%20user%2C%20can%20it%20be%20possible%20to%20see%20what%20query%20run%20by%20a%20user%20or%20can%20we%20create%20any%20rule%20for%20this%20in%20Azure%20Sentinel.%20I%20can%20see%20the%20query%20run%20by%20myself%20in%20history%2C%20but%20if%20i%20want%20to%20audit%20the%20queries%20run%20by%20any%20user%26nbsp%3B%20in%20sentinel%20%2Cif%20this%20possible%20in%20sentinel%20and%20if%20possible%20how%20it%20will%20be%20done.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1362964%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1362964%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394938%22%20target%3D%22_blank%22%3E%40Pinku1725%3C%2FA%3E%26nbsp%3BGot%20the%20same%20question%20from%20our%20data%20privacy%20officer%20the%20other%20day.%20Didn't%20find%20a%20way%20to%20audit%20query%20history.%20Is%20sort%20of%20a%20valid%20point%20given%20the%20huge%20amount%20of%20data%20that's%20available%20in%20a%20workspace.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363243%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363243%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394938%22%20target%3D%22_blank%22%3E%40Pinku1725%3C%2FA%3E%26nbsp%3BThere%20does%20not%20appear%20to%20be%20any%20way%20to%20get%20a%20history%20of%20queries.%26nbsp%3B%20%26nbsp%3BYou%20can%20add%20a%20request%20for%20this%20in%20the%20Customer%20Feedback%20site%20for%20Azure%20Sentinel%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363263%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363263%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394938%22%20target%3D%22_blank%22%3E%40Pinku1725%3C%2FA%3E%26nbsp%3BThat%20data%20is%20stored%20somewhere%20since%20you%20can%20see%20your%20query%20history%20when%20you%20go%20into%20the%20Logs%20page%2C%20unfortunately%20I%20have%20no%20idea%20where%20it%20is%20stored.%26nbsp%3B%20I%20did%20not%20find%20anything%20in%20the%20logs%20that%20seems%20like%20it%20would%20store%20it%20nor%20is%20there%20anything%20in%20the%20REST%20API%20for%20it.%26nbsp%3B%20I%20did%20find%20a%20reference%20to%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2Fapi%2FuserHistoryQueries%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fportal.loganalytics.io%2Fapi%2FuserHistoryQueries%3C%2FA%3E%26nbsp%3B%20when%20looking%20at%20the%20Developer's%20Tools%20so%20that%20could%20be%20a%20good%20place%20to%20start%20(although%20you%20can%20clear%20this%20out%20so%20it%20is%20not%20a%20good%20permanent%20record)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20suggest%20adding%20a%20suggestion%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F920458-azure-sentinel%3C%2FA%3E%26nbsp%3Bto%20try%20to%20get%20this%20feature%20added.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363381%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363381%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20very%20for%20your%20suggestion%20Gary%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371316%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371316%22%20slang%3D%22en-US%22%3E%3CP%3EhHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394938%22%20target%3D%22_blank%22%3E%40Pinku1725%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%E2%80%9Cexpect%20a%20preview%20soon%E2%80%9D%20is%20all%20I%20can%20say%20for%20now%2C%26nbsp%3B%20Thanks%20Clive%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1713867%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20way%20to%20pull%20sentinel%20query%20history%20for%20a%20user.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1713867%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F394938%22%20target%3D%22_blank%22%3E%40Pinku1725%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-audit%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Flog-query%2Fquery-audit%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Freference%2Ftables%2Flaquerylogs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Freference%2Ftables%2Flaquerylogs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

How to get the user query history for an user, can it be possible to see what query run by a user or can we create any rule for this in Azure Sentinel. I can see the query run by myself in history, but if i want to audit the queries run by any user  in sentinel ,if this possible in sentinel and if possible how it will be done.

5 Replies

@Pinku1725 Got the same question from our data privacy officer the other day. Didn't find a way to audit query history. Is sort of a valid point given the huge amount of data that's available in a workspace.

@Pinku1725 That data is stored somewhere since you can see your query history when you go into the Logs page, unfortunately I have no idea where it is stored.  I did not find anything in the logs that seems like it would store it nor is there anything in the REST API for it.  I did find a reference to: https://portal.loganalytics.io/api/userHistoryQueries  when looking at the Developer's Tools so that could be a good place to start (although you can clear this out so it is not a good permanent record)

 

I would suggest adding a suggestion to https://feedback.azure.com/forums/920458-azure-sentinel to try to get this feature added.

Thank you very for your suggestion Gary @Gary Bushey 

hHello @Pinku1725 

 

“expect a preview soon” is all I can say for now,  Thanks Clive