cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Search ASC alerts using KQL

snteran
Copper Contributor

‎Jun 07 2021 02:52 PM

‎Jun 07 2021 02:52 PM

Search ASC alerts using KQL

We have several alerts that have been generated in Azure Security Center and all have been marked as "Dismiss".  Unfortunately I'm not able to see who has marked them as "Dismiss".  I was hoping to run a KQL query to review the alert and find perhaps a column with information regarding the audit trail.

I have checked the SecurityAlert table and it shows no results.

 

Please advise,

 

Serge

 

1,622 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by snteran (Copper Contributor)
Rod_Trent

‎Jun 07 2021 03:47 PM

‎Jun 07 2021 03:47 PM

Solution

Re: Search ASC alerts using KQL

@snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

 

dismiss.jpg

Or...you could connect ASC to Azure Sentinel and query it there:

 

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

0 Likes
Reply
snteran

‎Jun 08 2021 05:06 PM

‎Jun 08 2021 05:06 PM

Re: Search ASC alerts using KQL

Thank you so much for your assistance. I was looking through Activity log but there were so many other entries that it would have taken me for ever. Once I used "Dismiss" in the search field, I found it immediately. Also the query worked perfectly. I am working on gaining knowledge in the MS Office security tools as well as ASC. If you have some of your favorite BLOG's/sites or any other training tools to help my gain the needed knowledge, I'd appreciate your insight.
Serge
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by snteran (Copper Contributor)
Rod_Trent

‎Jun 07 2021 03:47 PM

‎Jun 07 2021 03:47 PM

Solution

Re: Search ASC alerts using KQL

@snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

 

dismiss.jpg

Or...you could connect ASC to Azure Sentinel and query it there:

 

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

View solution in original post

0 Likes
Reply