如需在 Azure 入口網站 使用這些查詢的資訊,請參閱Log Analytics教學課程。 如需 REST API,請參閱 查詢。
安全性事件最常見的事件標識碼
此查詢會顯示針對安全性稽核的每個 EventId 擷取的遞減事件數量清單。
SecurityEvent
| where EventSourceName == "Microsoft-Windows-Security-Auditing"
| summarize EventCount = count() by EventID
| sort by EventCount desc
新增至安全性群組的成員
過去一天,已新增至啟用安全性之群組的人員是誰?
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution
使用純文字密碼
列出過去一天使用純文本密碼登入的所有帳戶。
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4624 // event ID 4624: "an account was successfully logged on",
| where LogonType == 8 // logon type 8: "NetworkCleartext"
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution
Windows 失敗的登入
查找無法成功登入的 Windows 帳戶的報告。
// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution
所有安全性活動
安全活動按時間順序排列(最新優先)。
SecurityEvent
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
裝置上的安全性活動
依時間排序(最新優先)的特定裝置上的安全性活動。
SecurityEvent
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
系統管理員的安全性活動
管理員特定裝置上的安全性活動,依時間順序排序(最新優先)。
SecurityEvent
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| where TargetUserName == "Administrator"
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc
依裝置的登入活動
計算每個裝置的登入活動。
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
具有超過10個登入的裝置
計算每個裝置登入次數超過 10 次的登入活動。
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
| where LogonCount > 10
帳戶終止的反惡意程式碼軟體
已終止 Microsoft Antimalware 的帳戶。
SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Account
已終止反惡意程式碼軟體的裝置
終止 Microsoft Antimalware 的裝置。
SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Computer
執行哈希的裝置
執行hash.exe超過5次的裝置。
SecurityEvent
| where EventID == 4688
| where Process has "hash.exe" or ParentProcessName has "hash.exe"
| summarize ExecutionCount = count() by Computer
| where ExecutionCount > 5
執行的進程名稱
列出每個進程的執行次數。
SecurityEvent
| where EventID == 4688
| summarize ExecutionCount = count() by NewProcessName
已清除安全性記錄的裝置
已清除安全性記錄的裝置。
SecurityEvent
| where EventID == 1102
| summarize LogClearedCount = count() by Computer
依帳戶的登入活動
各帳戶的登入活動。
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
登入次數少於 5 次的帳戶
登入次數少於 5 次的帳戶的登入活動。
SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
| where LogonCount < 5
裝置上的遠端登入帳戶
特定裝置上的遠端記錄帳戶。
SecurityEvent
| where EventID == 4624 and (LogonTypeName == "3 - Network" or LogonTypeName == "10 - RemoteInteractive")
//| where Computer == "Computer01.contoso.com" // Replace with a specific computer name
| summarize RemoteLogonCount = count() by Account
具有來賓帳戶登入的計算機
具有從來賓帳戶登入的計算機。
SecurityEvent
| where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3)
| summarize count() by Computer
已新增至啟用安全性之群組的成員
已新增至啟用安全性之群組的成員。
SecurityEvent
| where EventID in (4728, 4732, 4756)
| summarize count() by SubjectAccount
網域安全策略變更
計算已變更網域原則的事件。
SecurityEvent
| where EventID == 4739
| summarize count() by DomainPolicyChanged
系統審核策略變更
依電腦的系統稽核原則變更事件。
SecurityEvent
| where EventID == 4719
| summarize count() by Computer
可疑的可執行檔
列出可疑的可執行檔。
SecurityEvent
| where EventID == 8002 and Fqbn == '-'
| summarize ExecutionCountHash=count() by FileHash
| where ExecutionCountHash <= 5
使用純文字密碼登入
依目標帳戶使用純文字密碼登入。
SecurityEvent
| where EventID == 4624 and LogonType == 8
| summarize count() by TargetAccount
已清除事件記錄的電腦
已清除事件記錄的電腦。
SecurityEvent
| where EventID in (1102, 517) and EventSourceName == 'Microsoft-Windows-Eventlog'
| summarize count() by Computer
帳戶無法登入
依目標帳戶計算登入失敗嘗試的次數。
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount
鎖定的帳戶
依目標帳戶計算鎖定的帳戶。
SecurityEvent
| where EventID == 4740
| summarize count() by TargetAccount
變更或重設密碼嘗試
計算每個目標帳戶的變更/重設密碼嘗試次數。
SecurityEvent
| where EventID in (4723, 4724)
| summarize count() by TargetAccount
建立或修改的群組
針對每個目標帳戶建立或修改的群組。
SecurityEvent
| where EventID in (4727, 4731, 4735, 4737, 4754, 4755)
| summarize count() by TargetAccount
遠端程序呼叫嘗試
計算每部電腦的遠端程序呼叫嘗試次數。
SecurityEvent
| where EventID == 5712
| summarize count() by Computer
用戶帳戶已變更
計算每個目標帳戶的使用者帳戶變更。
SecurityEvent
| where EventID in (4720, 4722)
| summarize by TargetAccount