How to get custom Microsoft Sentinel hunting queries using the REST API


This post is in response to a question that was asked on LinkedIn. The person wanted to know how to get the custom hunting queries using the REST API since it didn’t seem that any of the Microsoft Sentinel APIs retrieve that information.

That is correct. There are no Microsoft Sentinel REST APIs to get the custom hunting queries.

How to get them

So then, how do you get them? The hunting queries are stored as saved queries, rather than analytic rules, so there is a different provider that you have to use to get them. You have to use a different provider than the one that Microsoft Sentinel uses, namely the “Microsoft.SecurityInsights”. Instead, you use “Microsoft.OperationalInsights”.

If you do not know how to setup PowerShell to call the Microsoft Sentinel REST APIs, refer back to Your first Azure Sentinel REST API call – Yet Another Security Blog (

The URL to get the rules is<subscription>/resourceGroups/<resourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspace>/savedSearches?api-version=2017-04-26-preview

This will retrieve a listing of all the different types of saved queries you may have in your environment, so you also need to look for “Hunting Queries” in the “Category” field under “properties”.


This short blog post shows how to get the custom hunting queries using a REST API. It is a different provider than the one we use for other Microsoft Sentinel REST API calls so it can confuse people.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.