EXPLORE
Sign In
← Back to Explore
kqlHunting

Sentinel Incident Deletions

We may want to monitor if a sentinel incident has been deleted

Detection Query

//We may want to monitor if a sentinel incident has been deleted
AzureActivity
| where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/INCIDENTS/DELETE"
| where ActivityStatusValue <> "Start" //so we only see successes or failures, feel free to remove

Data Sources

AzureActivity

Platforms

azure-sentinel

Tags

azure
Raw Content
//We may want to monitor if a sentinel incident has been deleted
AzureActivity
| where OperationNameValue == "MICROSOFT.SECURITYINSIGHTS/INCIDENTS/DELETE"
| where ActivityStatusValue <> "Start" //so we only see successes or failures, feel free to remove