SOLVED

Search ASC alerts using KQL

%3CLINGO-SUB%20id%3D%22lingo-sub-2423980%22%20slang%3D%22en-US%22%3ESearch%20ASC%20alerts%20using%20KQL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2423980%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20several%20alerts%20that%20have%20been%20generated%20in%20Azure%20Security%20Center%20and%20all%20have%20been%20marked%20as%20%22Dismiss%22.%26nbsp%3B%20Unfortunately%20I'm%20not%20able%20to%20see%20who%20has%20marked%20them%20as%20%22Dismiss%22.%26nbsp%3B%20I%20was%20hoping%20to%20run%20a%20KQL%20query%20to%20review%20the%20alert%20and%20find%20perhaps%20a%20column%20with%20information%20regarding%20the%20audit%20trail.%3C%2FP%3E%3CP%3EI%20have%20checked%20the%20SecurityAlert%20table%20and%20it%20shows%20no%20results.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20advise%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESerge%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2424126%22%20slang%3D%22en-US%22%3ERe%3A%20Search%20ASC%20alerts%20using%20KQL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2424126%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F813530%22%20target%3D%22_blank%22%3E%40snteran%3C%2FA%3E%26nbsp%3BThat's%20contained%20in%20the%20Azure%20Activity%20log.%20You%20can%20create%20a%20Diag%20Setting%20to%20send%20the%20Azure%20Activity%20log%20to%20a%20Log%20Analytics%20workspace%20and%20then%20query%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22dismiss.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F287029i7B19A557CCE22ABE%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22dismiss.jpg%22%20alt%3D%22dismiss.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EOr...you%20could%20connect%20ASC%20to%20Azure%20Sentinel%20and%20query%20it%20there%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAzureActivity%3CBR%20%2F%3E%7C%20sort%20by%20TimeGenerated%20desc%20%3CBR%20%2F%3E%7C%20where%20OperationNameValue%20%3D%3D%20%22MICROSOFT.SECURITY%2FLOCATIONS%2FALERTS%2FDISMISS%2FACTION%22%20and%20ActivityStatusValue%20%3D%3D%20%22Success%22%3CBR%20%2F%3E%7C%20project%20Caller%2C%20CallerIpAddress%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2429071%22%20slang%3D%22en-US%22%3ERe%3A%20Search%20ASC%20alerts%20using%20KQL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2429071%22%20slang%3D%22en-US%22%3EThank%20you%20so%20much%20for%20your%20assistance.%20I%20was%20looking%20through%20Activity%20log%20but%20there%20were%20so%20many%20other%20entries%20that%20it%20would%20have%20taken%20me%20for%20ever.%20Once%20I%20used%20%22Dismiss%22%20in%20the%20search%20field%2C%20I%20found%20it%20immediately.%20Also%20the%20query%20worked%20perfectly.%20I%20am%20working%20on%20gaining%20knowledge%20in%20the%20MS%20Office%20security%20tools%20as%20well%20as%20ASC.%20If%20you%20have%20some%20of%20your%20favorite%20BLOG's%2Fsites%20or%20any%20other%20training%20tools%20to%20help%20my%20gain%20the%20needed%20knowledge%2C%20I'd%20appreciate%20your%20insight.%3CBR%20%2F%3ESerge%3C%2FLINGO-BODY%3E
Occasional Contributor

We have several alerts that have been generated in Azure Security Center and all have been marked as "Dismiss".  Unfortunately I'm not able to see who has marked them as "Dismiss".  I was hoping to run a KQL query to review the alert and find perhaps a column with information regarding the audit trail.

I have checked the SecurityAlert table and it shows no results.

 

Please advise,

 

Serge

 

2 Replies
best response confirmed by snteran (Occasional Contributor)
Solution

@snteran That's contained in the Azure Activity log. You can create a Diag Setting to send the Azure Activity log to a Log Analytics workspace and then query it.

 

dismiss.jpg

Or...you could connect ASC to Azure Sentinel and query it there:

 

AzureActivity
| sort by TimeGenerated desc
| where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success"
| project Caller, CallerIpAddress

Thank you so much for your assistance. I was looking through Activity log but there were so many other entries that it would have taken me for ever. Once I used "Dismiss" in the search field, I found it immediately. Also the query worked perfectly. I am working on gaining knowledge in the MS Office security tools as well as ASC. If you have some of your favorite BLOG's/sites or any other training tools to help my gain the needed knowledge, I'd appreciate your insight.
Serge