Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
How to Export and Import KQL Query Packs
Copy link
Facebook
Email
Notes
More

How to Export and Import KQL Query Packs

The Full Monty

Rod Trent
Jan 30, 2023
1

Share this post

Rod’s Blog
Rod’s Blog
How to Export and Import KQL Query Packs
Copy link
Facebook
Email
Notes
More
Share

If I hear more questions around a topic in a brief period of time, I assume that It’s necessary to talk about. That’s where this blog post comes from.

Log Analytics (KQL) Query Packs are an awesome tool to use for combining and storing KQL queries. Log Analytics Query Packs are like any other Azure resource. And, as like any other Azure resource, they can be deployed into any Azure tenant or Resource Group in the same tenant.

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

However, our documentation around this is not the clearest.

When you’re ready to export a KQL Query Pack, open the Log Analytics Query Packs service in the Azure portal.

Export

Locate the Log Analytics Query Pack you want to export in the list, open it directly into the Export Template blade (as shown below), and then choose to Download.

After the download is complete, open it and locate, the template.json file inside.

This .json file is what you will use for the import to other places.

Import directly in the portal

To deploy this using the Azure portal: in the portal, in the Deploy a Custom Template service, choose the Build your own template in the editor option.

In the template editor, copy/paste the contents of the exported .json file into the template window (replacing what is there).

Save the template and you’re whisked away to the deployment process window.

Import from a GitHub Repository

Another way to deploy a Log Analytics Query Pack from a GitHub repository.

Upload the template.json to your GitHub repository and then embed a Deploy to Azure button into the Readme.md page.

Here’s the markup language to use:

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fgithub-repo-name%2Ffolder-name1%2Fmaster%2Ffolder-name2%2template.json)

Just insert your own information. Replace the following in the code above with your information that points to where you uploaded and are storing the Log Analytics Query Pack deployment .json:

  1. github-repo-name

  2. folder-name1

  3. folder-name2

Clicking on the icon will open the Azure portal and start the custom deployment process.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1

Share this post

Rod’s Blog
Rod’s Blog
How to Export and Import KQL Query Packs
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More