Comment Deleted
Query
//Query to determine who deleted a comment from an Incident
AzureActivity
| where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/INCIDENTS/COMMENTS/DELETE"
| where ActivityStatusValue == "Success"
| extend clientIpAddress_ = tostring(parse_json(HTTPRequest).clientIpAddress)
| project Caller, clientIpAddress_Explanation
This query is used to find out who deleted a comment from an Incident in Azure. It filters the Azure activity logs to only include activities related to deleting comments from Incidents. It further narrows down the results to only include activities that were successful. The query also extracts the client IP address from the HTTP request and displays it along with the caller information.
Details

Rod Trent
Released: June 8, 2021
Tables
AzureActivity
Keywords
AzureActivityOperationNameValueMICROSOFT.SECURITYINSIGHTS/INCIDENTS/COMMENTS/DELETEActivityStatusValueSuccessextendclientIpAddress_tostringparse_jsonHTTPRequestCaller
Operators
wherecontains==extendtostringparse_jsonproject