Query Details
Watch List Audit
Query
//Here's where to find auditing for Microsoft Sentinel Watchlists AzureActivity | where TimeGenerated > ago(90d) | where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS/WATCHLISTS/" //Get the actual Watchlist name AzureActivity | where TimeGenerated > ago(90d) | where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS/WATCHLISTS/" | extend resource_ = tostring(parse_json(Properties).resource)
Explanation
This query is searching for auditing information related to Microsoft Sentinel Watchlists in Azure Activity logs. It filters the results to include only events that occurred within the last 90 days and have an operation name containing "MICROSOFT.SECURITYINSIGHTS/WATCHLISTS/". Additionally, it retrieves the actual name of the Watchlist by parsing the "resource" property from the Azure Activity logs.
Details
Rod Trent
Released: May 19, 2022
Tables
AzureActivity
Keywords
AzureActivity,TimeGenerated,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/WATCHLISTS,Properties,resource_
Operators
whereagohasextendtostringparse_json