Skip to content

Add note about query audit visibility in MSSP and delegated access scenarios#291

Open
0ccupi3R wants to merge 1 commit into
MicrosoftDocs:mainfrom
0ccupi3R:main
Open

Add note about query audit visibility in MSSP and delegated access scenarios#291
0ccupi3R wants to merge 1 commit into
MicrosoftDocs:mainfrom
0ccupi3R:main

Conversation

@0ccupi3R

Copy link
Copy Markdown

Add a documentation note highlighting that cross-workspace queries executed against a customer Log Analytics workspace may be recorded in query audit logs (for example, LAQueryLogs) when query auditing is enabled.

The intent is not to describe a security issue or vulnerability, but to clarify auditability and transparency considerations for Azure Lighthouse, MSSP, and other delegated-access scenarios. Customers with access to query audit records may have visibility into query activity performed against their workspaces, including query metadata depending on the execution path and audit configuration.

This is generally for MSSPs who use cross workspace query from their Sentinel env to keep the Analytics/Hunting Queries (secret sauce) in their environment.

Note: closed the older PR #290 as it was mistakenly committed form incorrect account. Thanks

@prmerger-automator

Copy link
Copy Markdown
Contributor

@0ccupi3R : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

@0ccupi3R

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree

@austinmccollum

Copy link
Copy Markdown
Contributor

@0ccupi3R I'm checking this out. We've talked for a while about the best way to tactfully publish this access scenario but hadn't come to consensus yet.

@v-dirichards

Copy link
Copy Markdown
Contributor

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

@prmerger-automator prmerger-automator Bot added the aq-pr-triaged C+L Pull Request Review Team label label Jun 10, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds an IMPORTANT documentation note to clarify that, in Azure Lighthouse/MSSP/delegated-access scenarios, cross-workspace queries against a customer’s Log Analytics workspace can be auditable (for example, via query audit logs) when query auditing is enabled—improving transparency for customers and service providers.

Changes:

  • Added a delegated-access auditability note to the cross-workspace query documentation.
  • Added the same auditability note to the API-focused cross-workspace queries documentation.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
articles/azure-monitor/logs/cross-workspace-query.md Adds an IMPORTANT note about query audit visibility for delegated-access cross-workspace queries.
articles/azure-monitor/logs/api/cross-workspace-queries.md Adds the same IMPORTANT note in the API reference article for cross-workspace queries.

Comment thread articles/azure-monitor/logs/cross-workspace-query.md
Comment thread articles/azure-monitor/logs/api/cross-workspace-queries.md
@learn-build-service-prod

Copy link
Copy Markdown
Contributor

Learn Build status updates of commit 2329af1:

✅ Validation status: passed

File Status Preview URL Details
articles/azure-monitor/logs/api/cross-workspace-queries.md ✅Succeeded
articles/azure-monitor/logs/cross-workspace-query.md ✅Succeeded

For more details, please refer to the build report.

@Occupi3R

Copy link
Copy Markdown

Hi @austinmccollum,

Thanks for working on this PR.

I would like to point out one more page where the same description could be added at the end of this section:

https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#include-cross-workspace-queries-in-scheduled-analytics-rules

This page does not appear to have an edit option available.

@github-actions

Copy link
Copy Markdown

This pull request has been inactive for at least 14 days. If you are finished with your changes, don't forget to sign off. See the contributor guide for instructions.
Get Help
Docs Support Teams Channel
Resolve Merge Conflict

@github-actions github-actions Bot added the inactive This PR is inactive for more than 14 days label Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aq-pr-triaged C+L Pull Request Review Team label azure-monitor/svc Change sent to author do-not-merge inactive This PR is inactive for more than 14 days logs/subsvc

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants