Query Details
ASC Incident Closure
Query
//With AzureActivity connected, check to see who closed out an Incident in ASC/Defender AzureActivity | sort by TimeGenerated desc | where OperationNameValue == "MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION" and ActivityStatusValue == "Success" | project Caller, CallerIpAddress
Explanation
This query is checking the AzureActivity logs to find out who closed an Incident in ASC/Defender. It sorts the logs by the time they were generated, filters for the specific operation of closing an alert, and only includes successful actions. The query then projects the Caller (person who closed the incident) and their IP address.
Details
Rod Trent
Released: June 7, 2021
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.SECURITY/LOCATIONS/ALERTS/DISMISS/ACTION,ActivityStatusValue,Success,Caller,CallerIpAddress
Operators
sort bywhere==andproject