@ss1247 Unfortunately it does not appear that the last modified date/time or last modified by is stored anywhere for Analytics rules.   I did add a request for this information to be saved somewhere as it is needed for MSSPs

https://feedback.azure.com/forums/920458-azure-sentinel/suggestions/41084323-track-created-by-and-mo...

@ss1247 if you want to trigger an alert when existing analytic rules are deleted or modified you could use the below KQL queries (just replace <resourceGroupName> with the name of the actual resource group were you have Azure Sentinel):

let sentinelResourceGroups = dynamic(["<resourceGroupName>"]);
AzureActivity
| where OperationName =~ "Delete Alert Rules"
| where ResourceGroup in (sentinelResourceGroups)
| where ActivityStatus =~ "Succeeded"
| extend AlertRuleId = Resource
| project TimeGenerated, Caller, CallerIpAddress, OperationName, OperationNameValue, Result = ActivityStatus, AlertRuleId, ResourceId
| extend AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

let sentinelResourceGroups = dynamic(["<resourceGroupName>"]);
AzureActivity
| where OperationName =~ "Update Alert Rules"
| where ResourceGroup in (sentinelResourceGroups)
| where ActivityStatus =~ "Succeeded"
| extend AlertRuleId = Resource
| project TimeGenerated, Caller, CallerIpAddress, OperationName, OperationNameValue, Result = ActivityStatus, AlertRuleId, ResourceId
| extend AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

@ss1247 

alert query when modified:

AzureActivity

| where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"

| where ActivityStatusValue == "Succeeded"

| extend Analytics_Rule_ID = tostring(parse_json(Properties).resource)

| project TimeGenerated , CallerIpAddress , Caller , Analytics_Rule_ID