Open
Description
Description
How can one see the full list of saved queries in a Log Analytics workspace using PowerShell?
Steps to reproduce
(Get-AzOperationalInsightsSavedSearch -ResourceGroupName <> -Name <>).Value.properties|Select-Object Category,DisplaynameThis shows only a subset of the whole list.
Output
| Category | DisplayName |
|---|---|
| Security | All Security Activities |
| Security | Security Activities on the computer "Computer01.contoso.com" (replace with your own computer name) |
| Security | Security Activities on the computer "COMPUTER01.contoso.com" for account "Administrator" (replace with your own computer and account names) |
| Security | Logon Activity by Computer |
| Security | Logon Activity by Computer Where More than 10 logons have happened |
| Security | Accounts who terminated Microsoft antimalware ("MsMpEng.exe") on any computer |
| Security | Computers where the Microsoft antimalware process ("MsMpEng.exe") was terminated |
| Security | Computers where "hash.exe" was executed (replace with different process name) more than 5 times |
| Security | All Process names that were executed |
| Security | Computers whose security log was cleared |
| Security | Logon Activity by Account |
| Security | Logon Activity by Account for accounts who only logged on less than 5 times |
| Security | Accounts who remotely logged on the computer "Computer01.contoso.com" (replace with your own computer name) |
| Security Critical Notable Issues | Distinct malicious IP addresses accessed |
| Security Critical Notable Issues | Computers with detected threats |
| Security Critical Notable Issues | Computers missing security updates |
| Security Critical Notable Issues | Computer with guest account logons |
| Security Critical Notable Issues | High priority Active Directory assessment security recommendations |
| Security Critical Notable Issues | High priority SQL assessment security recommendations |
| Security Warning Notable Issues | Members added To security-enabled groups |
| Security Warning Notable Issues | Domain security policy changes |
| Security Warning Notable Issues | Computers with system audit policy changes |
| Security Warning Notable Issues | Suspicious executables |
| Security Warning Notable Issues | Computers with insufficient protection |
| Security Warning Notable Issues | Computers missing critical updates |
| Security Warning Notable Issues | Logons with a clear text password |
| Security Warning Notable Issues | Low priority AD assessment security recommendations |
| Security Warning Notable Issues | Low priority SQL assessment security recommendations |
| Security Info Notable Issues | Computers with cleaned event logs |
| Security Info Notable Issues | Accounts failed to log on |
| Security Info Notable Issues | Loading or Unloading of Kernel modules (Linux) |
| Security Info Notable Issues | Distinct paths of Executed Commands (Linux) |
| Security Info Notable Issues | Accounts failed to login (Linux) |
| Security Info Notable Issues | Executed Commands (Linux) |
| Security Info Notable Issues | Locked accounts |
| Security Info Notable Issues | Change or reset passwords attempts |
| Security Info Notable Issues | Security groups created or modified |
| Security Info Notable Issues | Remote procedure call(RPC) attempts |
| Security Info Notable Issues | User accounts created or enabled |
| Security Info Notable Issues | Computers with users added to a Linux group |
| Security Info Notable Issues | Computers with new Linux group created |
| Security Info Notable Issues | Computers with failed Linux user password change |
| Security Info Notable Issues | Computers with failed ssh logons |
| Security Info Notable Issues | Computers with failed su logons |
| Security Info Notable Issues | Computers with failed sudo logons |
| Security Info Notable Issues | Distinct clients resolving malicious domains |
| Log Management | All Events |
| Log Management | Count of Events containing the word "started" grouped by EventID |
| Log Management | Count of Events grouped by Event Log |
| Log Management | Count of Events grouped by Event Source |
| Log Management | Count of Events grouped by Event ID |
| Log Management | All Events with level "Warning" |
| Log Management | Count of Events with level "Warning" grouped by Event ID |
| Log Management | How many connections to Operations Manager's SDK service by day |
| Log Management | Events in the Operations Manager Event Log whose Event ID is in the range between 2000 and 3000 |
| Log Management | When did my servers initiate restart? |
| Log Management | Windows Firewall Policy settings have changed |
| Log Management | On which machines and how many times have Windows Firewall Policy settings changed |
| Log Management | All IIS Log Entries |
| Log Management | Shows breakdown of response codes |
| Log Management | Find the maximum time taken for each page |
| Log Management | Shows which pages people are getting a 404 for |
| Log Management | Average HTTP Request time by HTTP Method |
| Log Management | Shows servers that are throwing internal server error |
| Log Management | Count of IIS Log Entries by HTTP Request Method |
| Log Management | Count of IIS Log Entries by HTTP User Agent |
| Log Management | Count of IIS Log Entries by Client IP Address |
| Log Management | IIS Log Entries for a specific client IP Address (replace with your own) |
| Log Management | Count of IIS Log Entries by URL requested by client (without query strings) |
| Log Management | Count of IIS Log Entries by Host requested by client |
| Log Management | Count of IIS Log Entries by URL for the host "www.contoso.com" (replace with your own) |
| Log Management | Total Bytes sent by Client IP Address |
| Log Management | Total Bytes received by each Azure Role Instance |
| Log Management | Total Bytes received by each IIS Computer |
| Log Management | Total Bytes responded back to clients by each IIS ServerIP Address |
| Log Management | Total Bytes responded back to clients by Client IP Address |
| Log Management | Average HTTP Request time by Client IP Address |
| Log Management | All Syslogs |
| Log Management | All Syslog Records with Errors |
| Log Management | All Syslog Records grouped by Facility |
| Log Management | All Syslog Records grouped by ProcessName |
| General Exploration | Which Management Group is generating the most data points? |
| General Exploration | Distribution of data Types |
| General Exploration | All Computers with their most recent data |
| General Exploration | Stale Computers (data older than 24 hours) |
| Alert Management | Critical alerts raised during the past 24 hours |
| Alert Management | Warning alerts raised during the past 24 hours |
| Alert Management | Sources with active alerts raised during the past 24 hours |
| Alert Management | Critical alerts raised during the past 24 hours which are still active |
| Alert Management | Alerts raised during the past 24 hours which are now closed |
| Alert Management | Alerts raised during the past 1 day grouped by their severity |
| Alert Management | Alerts raised during the past 1 day sorted by their repeat count value |
| Alert Management | Alerts raised by Nagios Servers |
| Alert Management | Alerts raised by Zabbix Server |
| UpdateCompliance | Update deployment failures |
| UpdateCompliance | Devices pending reboot to complete update |
| UpdateCompliance | OS Servicing branch distribution for the devices |
| UpdateCompliance | OS Edition distribution for the devices |
| UpdateCompliance | Deferral configurations for Feature Update |
| UpdateCompliance | Pause configurations for Feature Update |
| UpdateCompliance | Deferral configurations for Quality Update |
| UpdateCompliance | Pause configurations for Quality Update |
| UpdateCompliance | Devices not assessed for Defender AV |
Many queries like the one highlighted in the list below are missing from the output of the cmdlet.
The list from the Azure Portal
Environment data
| Name | Value |
|---|---|
| OS | Microsoft Windows 10.0.19043 |
| PSVersion | 7.1.3 |
| WSManStackVersion | 3.0 |
| PSCompatibleVersions | {1.0, 2.0, 3.0, 4.0…} |
| PSRemotingProtocolVersion | 2.3 |
| PSEdition | Core |
| SerializationVersion | 1.1.0.1 |
| GitCommitId | 7.1.3 |
| Platform | Win32NT |
Get-Module -ListAvailable Az.operationalinsights|Select-Object ModuleType,Version,CompatiblePSEditions,Name
| ModuleType | Version | CompatiblePSEditions | Name |
|---|---|---|---|
| Script | 2.3.0 | {Core, Desktop} | Az.OperationalInsights |
Document Details
- Content: Get-AzOperationalInsightsSavedSearch (Az.OperationalInsights) - PowerShell
- Content Source: src/OperationalInsights/OperationalInsights/help/Get-AzOperationalInsightsSavedSearch.md
- Service: azure-monitor
- Sub-service: logs