Add note about query audit visibility in MSSP and delegated access scenarios#291
Add note about query audit visibility in MSSP and delegated access scenarios#2910ccupi3R wants to merge 1 commit into
Conversation
|
@0ccupi3R : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
@microsoft-github-policy-service agree |
|
@0ccupi3R I'm checking this out. We've talked for a while about the best way to tactfully publish this access scenario but hadn't come to consensus yet. |
|
#label:"aq-pr-triaged" |
There was a problem hiding this comment.
Pull request overview
This PR adds an IMPORTANT documentation note to clarify that, in Azure Lighthouse/MSSP/delegated-access scenarios, cross-workspace queries against a customer’s Log Analytics workspace can be auditable (for example, via query audit logs) when query auditing is enabled—improving transparency for customers and service providers.
Changes:
- Added a delegated-access auditability note to the cross-workspace query documentation.
- Added the same auditability note to the API-focused cross-workspace queries documentation.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| articles/azure-monitor/logs/cross-workspace-query.md | Adds an IMPORTANT note about query audit visibility for delegated-access cross-workspace queries. |
| articles/azure-monitor/logs/api/cross-workspace-queries.md | Adds the same IMPORTANT note in the API reference article for cross-workspace queries. |
|
Learn Build status updates of commit 2329af1: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Hi @austinmccollum, Thanks for working on this PR. I would like to point out one more page where the same description could be added at the end of this section: This page does not appear to have an edit option available. |
|
This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions. |
Add a documentation note highlighting that cross-workspace queries executed against a customer Log Analytics workspace may be recorded in query audit logs (for example, LAQueryLogs) when query auditing is enabled.
The intent is not to describe a security issue or vulnerability, but to clarify auditability and transparency considerations for Azure Lighthouse, MSSP, and other delegated-access scenarios. Customers with access to query audit records may have visibility into query activity performed against their workspaces, including query metadata depending on the execution path and audit configuration.
This is generally for MSSPs who use cross workspace query from their Sentinel env to keep the Analytics/Hunting Queries (secret sauce) in their environment.
Note: closed the older PR #290 as it was mistakenly committed form incorrect account. Thanks