Forum Discussion
S7RAY
May 27, 2020Copper Contributor
Audit Trail for Sentinel Incident Management
Is there an audit trail for us to track incident management, creation/editing/deletion of rules and such on Azure Sentinel?
1 Reply
Sort By
- Rod_Trent
Microsoft
S7RAY This capability exists somewhat in the AzureActivity data. Here's an example for an alert being deleted:
AzureActivity
| where OperationName == "Delete Alert Rules" and ActivityStatusValue == "Succeeded"
| project Caller , EventSubmissionTimestampThis will be better exposed in the near future.