Query Details
Watch List Delete
Query
//When was a Watchlist deleted and who deleted it AzureActivity | where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/WATCHLISTS/DELETE" | project TimeGenerated, Caller, CallerIpAddress
Explanation
This query looks for information about when a Watchlist was deleted and who deleted it. It retrieves the time the deletion occurred, the person who performed the deletion, and their IP address.
Details
Rod Trent
Released: October 27, 2022
Tables
AzureActivity
Keywords
AzureActivity,OperationNameValue,MICROSOFT.SECURITYINSIGHTS/WATCHLISTS/DELETE,TimeGenerated,Caller,CallerIpAddress
Operators
where==project