Forum Discussion
Jaibhanu
Mar 07, 2022Copper Contributor
Azure Sentinel
Hi i am a beginner with azure sentinel.
I want to know where are the diagnostics from Azure resources saved so that i can create a kql for any updation or modifications on the azure resources.
Thank you
- Clive_WatsonBronze ContributorAzure Diagnostics are typically in a Table called "AzureDiagnostics" https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics. Diagnostics are enabled 'per resource' or via Policy - https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD Change and Modification can also be seen with ARG https://docs.microsoft.com/en-us/azure/governance/resource-graph/how-to/get-resource-changes?tabs=azure-cli but you have to use a Workbook to access that with KQL.