Forum Discussion

Rayen's avatar
Rayen
Copper Contributor
Jan 13, 2025

Fetch Sentinel admin activity

Hello,

I would like to know if there is a specific query available to fetch Sentinel admin activities directly from Sentinel itself.

Thank you!

  • There is some data in the Activity logs, here is a brief example

     

    AzureActivity 
    | where TimeGenerated  > ago(90d)
    | where ResourceProviderValue =~ "Microsoft.SecurityInsights" 
    | extend eventCategory_ = tostring(parse_json(Properties).eventCategory)

     

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    There is some data in the Activity logs, here is a brief example

     

    AzureActivity 
    | where TimeGenerated  > ago(90d)
    | where ResourceProviderValue =~ "Microsoft.SecurityInsights" 
    | extend eventCategory_ = tostring(parse_json(Properties).eventCategory)

     

Resources