Query Details
Sentinel Incident Deletions
Query
//We may want to monitor if a sentinel incident has been deleted AzureActivity | where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/INCIDENTS/DELETE" | where ActivityStatusValue <> "Start" //so we only see successes or failures, feel free to remove
Explanation
This query is designed to monitor the deletion of Sentinel incidents in Azure. Here's a simple breakdown of what it does:
-
Data Source: It uses the
AzureActivitytable, which logs various activities and operations within Azure. -
Filter by Operation: It filters the data to only include activities where the operation name is "MICROSOFT.SECURITYINSIGHTS/INCIDENTS/DELETE". This means it specifically looks for actions related to the deletion of Sentinel incidents.
-
Filter by Activity Status: It further filters the results to exclude any activities with a status of "Start". This means it only shows activities that have either successfully completed or failed, providing a clear view of the outcomes of deletion attempts.
In summary, this query helps you track and monitor any successful or failed attempts to delete Sentinel incidents in Azure.
Details
Jay Kerai
Released: January 2, 2025
Tables
Keywords
Operators