Forum Discussion

S7RAY's avatar
S7RAY
Copper Contributor
May 27, 2020

Audit Trail for Sentinel Incident Management

Is there an audit trail for us to track incident management, creation/editing/deletion of rules and such on Azure Sentinel?

 

 

 

1 Reply

  • S7RAY This capability exists somewhat in the AzureActivity data. Here's an example for an alert being deleted:

     

    AzureActivity
    | where OperationName == "Delete Alert Rules" and ActivityStatusValue == "Succeeded"
    | project Caller , EventSubmissionTimestamp

     

    This will be better exposed in the near future.

Resources