Search ASC alerts using KQL

snteran · ‎Jun 07 2021

We have several alerts that have been generated in Azure Security Center and all have been marked as "Dismiss". Unfortunately I'm not able to see who has marked them as "Dismiss". I was hoping to run a KQL query to review the alert and find perhaps a column with information regarding the audit trail.

I have checked the SecurityAlert table and it shows no results.

Please advise,

Serge

snteran · ‎Jun 07 2021

@snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

Or...you could connect ASC to Azure Sentinel and query it there:

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

snteran · ‎Jun 08 2021

Thank you so much for your assistance. I was looking through Activity log but there were so many other entries that it would have taken me for ever. Once I used "Dismiss" in the search field, I found it immediately. Also the query worked perfectly. I am working on gaining knowledge in the MS Office security tools as well as ASC. If you have some of your favorite BLOG's/sites or any other training tools to help my gain the needed knowledge, I'd appreciate your insight.
Serge

Search ASC alerts using KQL

Search ASC alerts using KQL

Re: Search ASC alerts using KQL

Re: Search ASC alerts using KQL

Products (52)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

Search ASC alerts using KQL