Does anyone know what to query to find who may have made changes to the Azure Sentinel / Data Connector Configuration?
I tried the activity log but couldn't quite find the change; experimenting in my dev making changes but ultimately i'm trying to track down who made changes in PROD.
Thanks in advance,
Boyd
Something like the following?
https://github.com/rod-trent/SentinelKQL/blob/master/UpdateDataConnectors.txt
AzureActivity | where OperationName == "Update Data Connectors" and ActivityStatus == "Succeeded" | project Caller , CallerIpAddress, EventSubmissionTimestamp