Forum Discussion
Solved
Export and Import Saved Queries and Functions from one Sentinel Workspace to Another
I have been getting so much value out of Azure Sentinel, custom log types, and custom functions to parse logs and make them easy to query in KQL (I have Sysmon, Suricata and Zeek among others). I've ...
rpargman You need to use the Log Analytics REST API to get access to those. Take a look at: https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches to get started
rpargmanI had to do this the other day
# Get-AzContext -ListAvailable
# Set the source workspace
Set-AzContext -Subscription "<Source Subscription>"
$ResourceGroup = "<Source RG>"
$WorkspaceName = "<Source WorkSpace"
# Only export saved queries from these categories
$Categories = ("sec", "usage", "proxy", "win", "o365")
$ExportedSearches = (Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | Where-Object { $Categories -contains $_.Category }
# Set the destination workspace
Set-AzContext -Subscription "<Dest Subscription>"
$ResourceGroup = "<Dest RG>"
$WorkspaceName = "<Dest WorkSpace"
# Import Saved Searches
foreach ($search in $ExportedSearches) {
$id = $search.Category + "|" + $search.DisplayName
New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}
This is very useful, but I'd appreciate some help doing this slightly differently please:
1. dump searches to a file
2. import the file back to sentinel (say after making some changes)
eg:
Get-AzOp.... > outfile
New-AzOp... < outfile
I can't figure out the correct format for outfile and I don't know the import command using a file.
SocInABox just use JSON to serialise it:
export-searches.ps1 (./export-searches.ps1 myRG myWorkspace > searches.json)
$ResourceGroup = $args[0] $WorkspaceName = $args[1] (Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-JsonYou can easily add, remove, update queries in the JSON file then:
import-searches.ps1 (./import-searches.ps1 myRG myWorkspace searches.json)
$ResourceGroup = $args[0] $WorkspaceName = $args[1] $InputFile = $args[2] foreach ($search in Get-Content $InputFile | ConvertFrom-Json) { $id = $search.Category + "|" + $search.DisplayName Write-Output "Importing $($search.DisplayName) ($($search.Category))" New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version }pemontto , thanks again for your excellent queries.
Maybe someone can use these variations I made for my purpose:Title: Scripts for House Cleaning your Saved Searches in Sentinel
./export-search.ps1<resource group> <workspace> > test.json
#export ALL saved searches
$ResourceGroup = $args[0]
$WorkspaceName = $args[1](Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json
./export-search-bycategories.ps1<resource group> <workspace> > test.json
#export only the saved search categories specified in the $Categories variable below.
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
# Only export saved queries from these categories - comma separated
$Categories = ("test")
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | Where-Object { $Categories -contains $_.Category }
|ConvertTo-Json
./import-searches.ps1 <resource group> <workspace> test.json
# use this to import after making your changes from the above export json
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$InputFile = $args[2]
foreach ($search in Get-Content $InputFile | ConvertFrom-Json) {
$id = $search.Category + "|" + $search.DisplayName
Write-Output "Importing $($search.DisplayName) ($($search.Category))"
New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}
./remove-searches.ps1 <resource group> <workspace> test.json
# use this to REMOVE saved searches
# note: if you remove the last saved search from a category it will automatically remove the category folder
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$InputFile = $args[2]
foreach ($search in Get-Content $InputFile | ConvertFrom-Json) {
$id = $search.Category + "|" + $search.DisplayName
Write-Output "Removing $($search.DisplayName) ($($search.Category))"
Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -debug
}
./remove-query.ps1 <resource group> <workspace> "<folder category>|<query name>"
# use this to remove a single query
# pro tip - you can NOT remove a category/folder but removing the last query will automatically remove the folder
$ResourceGroup = $args[0]
$WorkspaceName = $args[1]
$query = $args[2]
Write-Output "Removing query: $query"
Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $query -debug
- Hey thanks for the great input in this thread. I wanted to check in before I go about trying to do this with functions. My question is basically the same. I was hoping to find a way to do this with the az-cli and core functions. Not so much as exporting, which would be a bonus. But editing and saving. I went through and did this in the GUI yesterday and it was a time consuming to say the least. Would you by chance have any guidance on that?
