As part of Microsoft Ignite, Microsoft announced a new feature to provide insight into what kind of queries are being run within a Log Analytics workspace. Log Analytics is a centralized log service which can collect audit/log data from many sources, including like Office 365, Azure AD , OS based logs in addition PaaS Services in Azure and can of course contain a lot of sensitive data.
Up until now there has not been possible to see an audit history of what kind of queries that has been run against the dataset.
To active this feature, you need to define diagnostics settings for the Log Analytics Workspace.
An audit record is created each time a query is run in the destination log analytics workspace. If you send the data to a Log Analytics workspace, it’s stored in a table called LAQueryLogs.
Then by checking the LAQueryLogs table I can get a full history of the kusto queries and also the caller email address.