Azure Log Analytics Query Packs

Name: Azure Log Analytics Query Packs API
Brand: Azure Log Analytics Query Packs
Availability: InStock

★ Only Publicly Available OpenAPI DocumentAnalyticsBusiness Intelligenceoauth25 EndpointsREST

For Agents

Manage saved KQL queries inside Azure Log Analytics Query Packs — create, update, delete, list, and search reusable queries that operate against workspaces and Application Insights resources.

Quickstart

Get started with Azure Log Analytics Query Packs in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"search saved KQL queries in an Azure Query Pack"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Azure Log Analytics Query Packs API.

Save a KQL query into a microsoft.insights/queryPacks container

List every query stored inside a specific Query Pack

Search queries within a Query Pack by tag, related solution, or kind

Update an existing saved query's body, tags, or display name

GET STARTED

Start building with Azure Log Analytics Query Packs API

Explore with Jentic

View OpenAPI Document

Jentic publishes the only available OpenAPI document for Azure Log Analytics Query Packs, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for Azure Log Analytics Query Packs, keeping it validated and agent-ready. The Query Packs API manages saved KQL queries inside microsoft.insights/queryPacks containers, letting teams version, organise, and search reusable queries that target Log Analytics workspaces or Application Insights resources. It exposes per-query CRUD plus a search endpoint that filters queries by tag, kind, or related solution. All requests authenticate with Azure AD OAuth 2.0 against Azure Resource Manager.

Use Cases

Patterns agents use Azure Log Analytics Query Packs API for, with concrete tasks.

★ Centralised KQL Query Library

Platform teams curate a shared library of KQL queries inside a Query Pack so analysts and incident responders reuse the same logic across workspaces. The PUT on a query inside a pack stores the KQL body alongside tags, a display name, and related solutions, and the search endpoint surfaces matching queries to consumers without duplicating them per workspace.

Save a KQL query named 'Failed sign-ins last 24h' into Query Pack 'qp-security' in resource group 'rg-observability', tagged 'category:identity', with the body 'SigninLogs | where ResultType != 0 | summarize count() by UserPrincipalName'.

Query Discovery via Tag Search

Analysts call the POST search endpoint inside a Query Pack with a body that filters on tags, related solutions, or query kind, and receive only the matching queries. This is faster than enumerating every query in a large pack and supports building UI pickers or chat-driven query selection.

Search Query Pack 'qp-security' for queries tagged 'category:identity' and return their queryId, displayName, and body.

Query Versioning and Cleanup

As detection rules evolve, queries in a pack drift out of date. The PUT on a query is idempotent and replaces the body in place, while DELETE removes obsolete entries. Pair this with a CI workflow that pushes the canonical KQL from a Git repository into the pack on every merge to main.

Update query ID 'fb02-...-9c' in Query Pack 'qp-security' with a new body and bump its tag 'version' from 'v3' to 'v4'.

Agent-Driven Query Retrieval

An AI agent through Jentic can search a Query Pack for the right saved KQL by intent (e.g., 'find failed sign-ins'), retrieve the query body, and pass it to the Log Analytics Query API for execution. Jentic returns the search and get operations with full schemas, so the agent does not have to hardcode KQL.

Search Query Pack 'qp-security' for the first query tagged 'incident:failed-signins', read its body, and return it for downstream execution.

Key Endpoints

5 endpoints — jentic publishes the only available openapi specification for azure log analytics query packs, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

PUT

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/{queryId}

Save or replace a KQL query in a Query Pack

GET

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/{queryId}

Retrieve a single saved query

GET

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries

List all queries inside a Query Pack

POST

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/search

Search queries inside a pack by tag or kind

DELETE

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/{queryId}

Delete a query from a pack

PUT

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/{queryId}

Save or replace a KQL query in a Query Pack

GET

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/{queryId}

Retrieve a single saved query

GET

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries

List all queries inside a Query Pack

POST

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/search

Search queries inside a pack by tag or kind

DELETE

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Azure AD service principal credentials are stored encrypted in the Jentic vault. Agents receive short-lived Bearer tokens scoped to https://management.azure.com/ — client secrets never enter the agent context.

Intent-based discovery

Agents search by intent (e.g., 'search saved KQL queries') and Jentic returns the matching microsoft.insights/queryPacks operation with its parameter schema.

Time to first call

Direct integration: half a day for Azure AD app setup and pack/query CRUD wiring. Through Jentic: under 30 minutes — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Azure Log Analytics

Manages the clusters and workspaces that the saved queries actually run against.

Use to provision and manage the cluster backing the workspaces these queries target.

Complementary

Application Insights Management Client

Manages the Application Insights resources that queries inside a pack often target.

Use to provision Application Insights components that saved queries reference.

Complementary

Azure Log Analytics - Operations Management

Installs solutions whose tables and signals are then targeted by saved queries.

Use to install the solutions that produce data tables your saved queries operate on.

FAQs

Specific to using Azure Log Analytics Query Packs API through Jentic.

Why is there no official OpenAPI spec for Azure Log Analytics Query Packs?

Microsoft Azure does not publish a single consolidated OpenAPI specification for the microsoft.insights/queryPacks Resource Provider surface. Jentic generates and maintains this spec so that AI agents and developers can call Azure Log Analytics Query Packs via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does this API use?

The API uses Azure Active Directory OAuth 2.0; agents acquire a token for the https://management.azure.com/ resource and pass it as a Bearer token. Jentic stores the service principal credentials in its vault and injects scoped tokens at call time.

Does this API execute KQL queries?

No. Query Packs only store saved query metadata and bodies. To run a query you call the Log Analytics Query API at api.loganalytics.io/v1/workspaces/{workspaceId}/query (data plane) or the Application Insights query endpoint, passing the KQL body retrieved from the pack.

How do I search for queries in a Query Pack through Jentic?

Search Jentic for 'search queries inside a Query Pack', load the resulting POST operation on /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/queryPacks/{queryPackName}/queries/search, then execute it with a filter body that names the tags or related solutions you want.

What metadata can I attach to a saved query?

Each query supports displayName, description, body (the KQL), tags as a string-to-array map, related solutions, and related categories. These are returned by the GET on a single query and are used as filters in the search endpoint.

What are the rate limits for this API?

Azure Resource Manager applies subscription-level throttling — typically 12,000 reads and 1,200 writes per hour per subscription. There is no separate per-Query-Pack quota declared in the spec.