Query Details
Workbook Deletion
Query
//Who deleted a Microsoft Sentinel workbook AzureActivity | where OperationNameValue == "MICROSOFT.INSIGHTS/WORKBOOKS/DELETE" | distinct Caller, CallerIpAddress, EventSubmissionTimestamp, OperationName, OperationNameValue, Resource
Explanation
This query is looking for information about who deleted a Microsoft Sentinel workbook. It retrieves the caller's name, IP address, timestamp of the event, the operation name and value, and the resource involved.
Details
Rod Trent
Released: March 15, 2022
Tables
AzureActivity
Keywords
AzureActivity,MICROSOFT.INSIGHTS/WORKBOOKS/DELETE
Operators
where==distinct