I had done something similar a while back. It's a pretty involved query, but you have to be able to search the auditing events for the alertdefID and use the node ID as well in order to find any auditing events tied to a specific alert. I unfortunately no longer have the exact query I used the last time I set that up. I'll do some digging to see if I can find any remnants of it.
↧