Export and Import Saved Queries and Functions from one Sentinel Workspace to Another

I have been getting so much value out of Azure Sentinel, custom log types, and custom functions to parse logs and make them easy to query in KQL (I have Sysmon, Suricata and Zeek among others). I've ...

GaryBushey
Nov 19, 2020
rpargman You need to use the Log Analytics REST API to get access to those. Take a look at: https://docs.microsoft.com/en-us/rest/api/loganalytics/savedsearches to get started

pemontto

Brass Contributor

SocInABox just use JSON to serialise it:

export-searches.ps1 (./export-searches.ps1 myRG myWorkspace > searches.json)

$ResourceGroup =  $args[0]
$WorkspaceName =  $args[1]

(Get-AzOperationalInsightsSavedSearch -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName).Value.Properties | ConvertTo-Json

You can easily add, remove, update queries in the JSON file then:

import-searches.ps1 (./import-searches.ps1 myRG myWorkspace searches.json)

$ResourceGroup =  $args[0]
$WorkspaceName =  $args[1]
$InputFile = $args[2]

foreach ($search in  Get-Content $InputFile | ConvertFrom-Json) {
    $id = $search.Category + "|" + $search.DisplayName
    Write-Output "Importing $($search.DisplayName) ($($search.Category))"
    New-AzOperationalInsightsSavedSearch -Force -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -SavedSearchId $id -DisplayName $search.DisplayName -Category $search.Category -Query $search.Query -Version $search.Version
}

SocInABox

Iron Contributor

May 17, 2021

Thanks pemontto , I love you man :D.

Seriously much appreciated I needed that convert-to/from json example.

Forum Discussion

Export and Import Saved Queries and Functions from one Sentinel Workspace to Another

Share

Resources