Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Search ASC alerts using KQL

Copper Contributor

We have several alerts that have been generated in Azure Security Center and all have been marked as "Dismiss".  Unfortunately I'm not able to see who has marked them as "Dismiss".  I was hoping to run a KQL query to review the alert and find perhaps a column with information regarding the audit trail.

I have checked the SecurityAlert table and it shows no results.

 

Please advise,

 

Serge

 

2 Replies
best response confirmed by snteran (Copper Contributor)
Solution

@snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

 

dismiss.jpg

Or...you could connect ASC to Azure Sentinel and query it there:

 

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

Thank you so much for your assistance. I was looking through Activity log but there were so many other entries that it would have taken me for ever. Once I used "Dismiss" in the search field, I found it immediately. Also the query worked perfectly. I am working on gaining knowledge in the MS Office security tools as well as ASC. If you have some of your favorite BLOG's/sites or any other training tools to help my gain the needed knowledge, I'd appreciate your insight.
Serge
1 best response

Accepted Solutions
best response confirmed by snteran (Copper Contributor)
Solution

@snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

 

dismiss.jpg

Or...you could connect ASC to Azure Sentinel and query it there:

 

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

View solution in original post