IdentityQueryEvents 數據表的查詢

發行項
11/05/2024

如需在 Azure 入口網站中使用這些查詢的詳細資訊，請參閱Log Analytics教學課程。如需 REST API，請參閱查詢。

對 Active Directory 的 SAMR 查詢

尋找將 SAMR 查詢傳送至 Active Directory 的程式。

// Find processes that sent SAMR queries to Active Directory
IdentityQueryEvents
| where ActionType == "SAMR query"
//    and isnotempty(AccountName)
| project QueryTime = Timestamp, DeviceName, AccountName, Query, QueryTarget
| join kind=inner (
DeviceProcessEvents
| extend DeviceName = toupper(trim(@"\..*$",DeviceName))
//| where InitiatingProcessCommandLine contains "net.exe"
| project ProcessCreationTime = Timestamp, DeviceName, AccountName,
     InitiatingProcessFileName , InitiatingProcessCommandLine
    ) on DeviceName//, AccountName
| where ProcessCreationTime - QueryTime between (-2m .. 2m)
| project QueryTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Query, QueryTarget //,AccountName
 | limit 100

共用方式為

IdentityQueryEvents 數據表的查詢

對 Active Directory 的 SAMR 查詢

意見反應

其他資源