May 05 2020 09:05 PM
How to get the user query history for an user, can it be possible to see what query run by a user or can we create any rule for this in Azure Sentinel. I can see the query run by myself in history, but if i want to audit the queries run by any user in sentinel ,if this possible in sentinel and if possible how it will be done.
May 06 2020 03:39 AM
@Pinku1725 Got the same question from our data privacy officer the other day. Didn't find a way to audit query history. Is sort of a valid point given the huge amount of data that's available in a workspace.
May 06 2020 05:07 AM
@Pinku1725 That data is stored somewhere since you can see your query history when you go into the Logs page, unfortunately I have no idea where it is stored. I did not find anything in the logs that seems like it would store it nor is there anything in the REST API for it. I did find a reference to: https://portal.loganalytics.io/api/userHistoryQueries when looking at the Developer's Tools so that could be a good place to start (although you can clear this out so it is not a good permanent record)
I would suggest adding a suggestion to https://feedback.azure.com/forums/920458-azure-sentinel to try to get this feature added.
May 06 2020 05:42 AM
Thank you very for your suggestion Gary @Gary Bushey
May 07 2020 10:14 AM