Audit Trail for Sentinel Incident Management

%3CLINGO-SUB%20id%3D%22lingo-sub-1420083%22%20slang%3D%22en-US%22%3EAudit%20Trail%20for%20Sentinel%20Incident%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420083%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20an%20audit%20trail%20for%20us%20to%20track%20incident%20management%2C%20creation%2Fediting%2Fdeletion%20of%20rules%20and%20such%20on%20Azure%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1420124%22%20slang%3D%22en-US%22%3ERe%3A%20Audit%20Trail%20for%20Sentinel%20Incident%20Management%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1420124%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F594939%22%20target%3D%22_blank%22%3E%40S7RAY%3C%2FA%3E%26nbsp%3BThis%20capability%20exists%20somewhat%20in%20the%20AzureActivity%20data.%20Here's%20an%20example%20for%20an%20alert%20being%20deleted%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzureActivity%3CBR%20%2F%3E%7C%20where%20OperationName%20%3D%3D%20%22Delete%20Alert%20Rules%22%20and%20ActivityStatusValue%20%3D%3D%20%22Succeeded%22%20%3CBR%20%2F%3E%7C%20project%20Caller%20%2C%20EventSubmissionTimestamp%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20will%20be%20better%20exposed%20in%20the%20near%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Is there an audit trail for us to track incident management, creation/editing/deletion of rules and such on Azure Sentinel?

 

 

 

1 Reply

@S7RAY This capability exists somewhat in the AzureActivity data. Here's an example for an alert being deleted:

 

AzureActivity
| where OperationName == "Delete Alert Rules" and ActivityStatusValue == "Succeeded"
| project Caller , EventSubmissionTimestamp

 

This will be better exposed in the near future.