Forum Discussion

Rayen's avatar
Rayen
Copper Contributor
Jan 13, 2025
Solved

Fetch Sentinel admin activity

Hello, I would like to know if there is a specific query available to fetch Sentinel admin activities directly from Sentinel itself. Thank you!
analytics
data collection
Log Data
monitoring
playbooks
siem
  • Clive_Watson's avatar
    Clive_Watson
    Jan 24, 2025

    There is some data in the Activity logs, here is a brief example

     

    AzureActivity 
| where TimeGenerated  > ago(90d)
| where ResourceProviderValue =~ "Microsoft.SecurityInsights" 
| extend eventCategory_ = tostring(parse_json(Properties).eventCategory)

     

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Jan 24, 2025

There is some data in the Activity logs, here is a brief example

 

AzureActivity 
| where TimeGenerated  > ago(90d)
| where ResourceProviderValue =~ "Microsoft.SecurityInsights" 
| extend eventCategory_ = tostring(parse_json(Properties).eventCategory)

 

Resources