Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure Sentinel

Copper Contributor

Hi i am a beginner with azure sentinel.

I want to know where are the diagnostics from Azure resources saved so that i can create a kql for any updation or modifications on the azure resources.

 

Thank you

1 Reply
Azure Diagnostics are typically in a Table called "AzureDiagnostics" https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics. Diagnostics are enabled 'per resource' or via Policy - https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD Change and Modification can also be seen with ARG https://docs.microsoft.com/en-us/azure/governance/resource-graph/how-to/get-resource-changes?tabs=az... but you have to use a Workbook to access that with KQL.