Query Details
Comment Deleted
Query
//Query to determine who deleted a comment from an Incident AzureActivity | where OperationNameValue contains "MICROSOFT.SECURITYINSIGHTS/INCIDENTS/COMMENTS/DELETE" | where ActivityStatusValue == "Success" | extend clientIpAddress_ = tostring(parse_json(HTTPRequest).clientIpAddress) | project Caller, clientIpAddress_
Explanation
This query is used to find out who deleted a comment from an Incident in Azure. It filters the Azure activity logs to only include activities related to deleting comments from Incidents. It further narrows down the results to only include activities that were successful. The query also extracts the client IP address from the HTTP request and displays it along with the caller information.
Details
Rod Trent
Released: June 8, 2021
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/INCIDENTS/COMMENTS/DELETE,ActivityStatusValue,Success,extend,clientIpAddress_,tostring,parse_json,HTTPRequest,Caller
Operators
wherecontains==extendtostringparse_jsonproject