Forum Discussion

snteran's avatar
snteran
Copper Contributor
Jun 07, 2021
Solved

Search ASC alerts using KQL

We have several alerts that have been generated in Azure Security Center and all have been marked as "Dismiss".  Unfortunately I'm not able to see who has marked them as "Dismiss".  I was hoping to r...
  • Rod_Trent's avatar
    Rod_Trent
    Jun 07, 2021

    snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

     

    Or...you could connect ASC to Azure Sentinel and query it there:

     

    AzureActivity
    | sort by TimeGenerated desc
    | where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
    | project Caller, CallerIpAddress

Rod_Trent's avatar
Rod_Trent
Icon for Microsoft rankMicrosoft
Jun 07, 2021

snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

 

Or...you could connect ASC to Azure Sentinel and query it there:

 

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

snteran's avatar
snteran
Copper Contributor
Jun 08, 2021
Thank you so much for your assistance. I was looking through Activity log but there were so many other entries that it would have taken me for ever. Once I used "Dismiss" in the search field, I found it immediately. Also the query worked perfectly. I am working on gaining knowledge in the MS Office security tools as well as ASC. If you have some of your favorite BLOG's/sites or any other training tools to help my gain the needed knowledge, I'd appreciate your insight.
Serge