OfficeActivity 數據表的查詢

發行項
11/05/2024

如需在 Azure 入口網站中使用這些查詢的詳細資訊，請參閱Log Analytics教學課程。如需 REST API，請參閱查詢。

所有 Office 活動

Office 活動提供的所有事件。

OfficeActivity
| project TimeGenerated, UserId, Operation, OfficeWorkload, RecordType, _ResourceId
| sort by TimeGenerated desc nulls last

存取檔案的使用者

使用者依他們存取的 OneDrive 和 SharePoint 檔案數目排序。

OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

檔案上傳作業

列出依上傳至 OneDrive 和 SharePoint 的檔案數目排序的使用者。

OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileUploaded")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

使用者的 Office 活動

此查詢會透過 Office 呈現用戶的活動。

// Replace the UPN in the query with the UPN of the user of interest
let v_Users_UPN= "osotnoc@contoso.com";
OfficeActivity
| where UserId==v_Users_UPN
| project TimeGenerated, OfficeWorkload, Operation, ResultStatus, OfficeObjectId, _ResourceId

建立轉寄規則

列出建立電子郵件轉寄規則。

OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| extend RuleName = case(Operation =~ "Set-TransportRule", tostring(OfficeObjectId), Operation =~ "New-TransportRule", tostring(parse_json(Parameters)[1].Value), "Unknown")
| project  TimeGenerated, ClientIP, UserId, Operation, RuleName, _ResourceId

可疑的檔名

名稱可能表示可執行檔混淆之檔案的作業。

OfficeActivity
| where RecordType =~ "SharePointFileOperation" and isnotempty(SourceFileName)
| where OfficeObjectId has ".exe." and OfficeObjectId matches regex @"\.exe\.\w{0,4}$"

共用方式為