Skip to content

Commit 2734148

Browse files
rkarlinrkarlin
committed
audit update for Elay
1 parent 073aa76 commit 2734148

File tree

1 file changed

+34
-1
lines changed

1 file changed

+34
-1
lines changed

articles/sentinel/resources.md

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ ms.devlang: na
1414
ms.topic: conceptual
1515
ms.tgt_pltfrm: na
1616
ms.workload: na
17-
ms.date: 09/23/2019
17+
ms.date: 11/26/2019
1818
ms.author: rkarlin
1919

2020
---
@@ -30,6 +30,39 @@ Azure Logic Apps connectors: <https://docs.microsoft.com/connectors/>
3030
## Auditing and reporting
3131
Audit logs of Azure Sentinel are maintained in [Azure Activity Logs](../azure-monitor/platform/activity-logs-overview.md).
3232

33+
The following supported operations can be audited.
34+
35+
|Operation name| Resource type|
36+
|----|----|
37+
||Create or update workbook |Microsoft.Insights/workbooks|
38+
|Delete Workbook |Microsoft.Insights/workbooks|
39+
|Set Workflow |Microsoft.Logic/workflows|
40+
|Delete Workflow |Microsoft.Logic/workflows|
41+
|Create Saved Search |Microsoft.OperationalInsights/workspaces/savedSearches|
42+
|Delete Saved Search |Microsoft.OperationalInsights/workspaces/savedSearches|
43+
|Set Dashboard |Microsoft.Portal/dashboards|
44+
|Delete Dashboard |Microsoft.Portal/dashboards|
45+
|Update Alert Rules |Microsoft.SecurityInsights/alertRules|
46+
|Delete Alert Rules |Microsoft.SecurityInsights/alertRules|
47+
|Update Alert Rule Response Actions |Microsoft.SecurityInsights/alertRules|
48+
|Delete Alert Rule Response Actions |Microsoft.SecurityInsights/alertRules|
49+
|Update Bookmarks |Microsoft.SecurityInsights/bookmarks|
50+
|Delete Bookmarks |Microsoft.SecurityInsights/bookmarks|
51+
|Update Cases |Microsoft.SecurityInsights/Cases|
52+
|Update Case Investigation |Microsoft.SecurityInsights/Cases|
53+
|Create Case Comments |Microsoft.SecurityInsights/Cases|
54+
|Update Data Connectors |Microsoft.SecurityInsights/dataConnectors|
55+
|Delete Data Connectors |Microsoft.SecurityInsights/dataConnectors|
56+
|Update Settings |Microsoft.SecurityInsights/settings|
57+
58+
### View audit and reporting data in Azure Sentinel
59+
60+
You can view this data by streaming it from the Azure Activity log into Azure Sentinel where you can then perform research and analytics on it.
61+
62+
1. Connect the [Azure Activity](connect-azure-activity.md) data source. After doing this, audit events are streamed into a new table in the **Logs** screen called AzureActivity.
63+
2. Then, query the data using KQL, like you would any other table.
64+
65+
3366

3467
## Vendor documentation
3568

0 commit comments

Comments
 (0)