SecurityEvent 數據表的查詢

  • 發行項

安全性事件最常見的事件標識碼

此查詢會顯示每個 EventId 針對安全性稽核擷取的事件數量遞減清單。

SecurityEvent
| where EventSourceName == "Microsoft-Windows-Security-Auditing"
| summarize EventCount = count() by EventID
| sort by EventCount desc

新增至安全組的成員

過去一天新增至已啟用安全性的群組的人員?

// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution

使用純文字密碼

列出過去一天使用純文本密碼登入的所有帳戶。

// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4624 // event ID 4624: "an account was successfully logged on",
| where LogonType == 8 // logon type 8: "NetworkCleartext"
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution

Windows 失敗登入

尋找無法登入的 Windows 帳戶報告。

// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution

所有安全性活動

依時間排序的安全性活動 (最新的第一個) 。

SecurityEvent
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc

裝置上的安全性活動

依時間排序的特定裝置上的安全性活動, (最新的第一個) 。

SecurityEvent 
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc

管理員 的安全性活動

特定裝置上的安全性活動,依時間排序 (最新的第一個) 。

SecurityEvent 
//| where Computer == "COMPUTER01.contoso.com"  // Replace with a specific computer name
| where TargetUserName == "Administrator"
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc

依裝置的登入活動

計算每個裝置的登入活動。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer

具有超過10次登入的裝置

計算每個裝置超過10次登入的登入活動。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
| where LogonCount > 10

帳戶終止的反惡意代碼軟體

終止 Microsoft Antimalware的帳戶。

SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Account

已終止反惡意代碼的裝置

終止 Microsoft Antimalware的裝置。

SecurityEvent
| where EventID == 4689 
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Computer

執行哈希的裝置

hash.exe 執行超過 5 次的裝置。

SecurityEvent
| where EventID == 4688
| where Process has "hash.exe" or ParentProcessName has "hash.exe"
| summarize ExecutionCount = count() by Computer
| where ExecutionCount > 5

執行的進程名稱

清單 每個進程的執行次數。

SecurityEvent
| where EventID == 4688
| summarize ExecutionCount = count() by NewProcessName

已清除安全性記錄的裝置

已清除安全性記錄的裝置。

SecurityEvent
| where EventID == 1102
| summarize LogClearedCount = count() by Computer

依帳戶的登入活動

依帳戶登入活動。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account

登入次數少於5倍的帳戶

少於 5 次登入的帳戶登入活動。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
| where LogonCount < 5

裝置上的遠端記錄帳戶

特定裝置上的遠端登入帳戶。

SecurityEvent
| where EventID == 4624 and (LogonTypeName == "3 - Network" or LogonTypeName == "10 - RemoteInteractive")
//| where Computer == "Computer01.contoso.com" // Replace with a specific computer name
| summarize RemoteLogonCount = count() by Account

具有來賓帳戶登入的計算機

具有從來賓帳戶登入的計算機。

SecurityEvent
| where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3)
| summarize count() by Computer

新增至已啟用安全性群組的成員

新增至已啟用安全性群組的成員。

SecurityEvent
| where EventID in (4728, 4732, 4756)
| summarize count() by SubjectAccount

網域安全策略變更

計算已變更網域原則的事件。

SecurityEvent
| where EventID == 4739
| summarize count() by DomainPolicyChanged

系統稽核原則變更

系統稽核原則已依計算機變更事件。

SecurityEvent
| where EventID == 4719
| summarize count() by Computer

可疑可執行檔

清單可疑的可執行檔。

SecurityEvent
| where EventID == 8002 and Fqbn == '-'
| summarize ExecutionCountHash=count() by FileHash
| where ExecutionCountHash <= 5

使用純文字密碼登入

以目標帳戶的純文本密碼登入。

SecurityEvent
| where EventID == 4624 and LogonType == 8
| summarize count() by TargetAccount

具有已清除事件記錄的電腦

具有已清除事件記錄的電腦。

SecurityEvent
| where EventID in (1102, 517) and EventSourceName == 'Microsoft-Windows-Eventlog'
| summarize count() by Computer

帳戶無法登入

依目標帳戶計算失敗的登入次數。

SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount

鎖定的帳戶

依目標帳戶計算鎖定的帳戶。

SecurityEvent
| where EventID == 4740
| summarize count() by TargetAccount

變更或重設密碼嘗試

計算每個目標帳戶的變更/重設 paswords 嘗試次數。

SecurityEvent
| where EventID in (4723, 4724)
| summarize count() by TargetAccount

已建立或修改的群組

每個目標帳戶建立或修改的群組。

SecurityEvent
| where EventID in (4727, 4731, 4735, 4737, 4754, 4755)
| summarize count() by TargetAccount

遠端過程調用嘗試

計算每部計算機的遠端過程調用嘗試次數。

SecurityEvent
| where EventID == 5712
| summarize count() by Computer

用戶帳戶已變更

計算每個目標帳戶的用戶帳戶變更。

SecurityEvent
| where EventID in (4720, 4722)
| summarize by TargetAccount