Forum Discussion
How to Investigate Case Assignment in Sentinel
How can I create a query or find the logs for the person who assigned me a case in Sentinel without alerting them?
1 Reply
I have a KQL query that can get manually assigned incidents. This wont work if an automation was used but I figured you meant manual anyways.
AzureActivity
| where ResourceProvider == "Microsoft.OperationalInsights"
| where OperationNameValue == "Microsoft.SecurityInsights/Incidents/Update"
| where ActivityStatusValue == "Success"
| where Properties contains "<your_incident_id>"
| project Caller, OperationNameValue, ActivityDateTime, Properties
