Dotazy na tabulku IdentityLogonEvents
Informace o používání těchto dotazů na webu Azure Portal najdete v kurzu služby Log Analytics. Informace o rozhraní REST API najdete v tématu Dotaz.
Procesy ověřování LDAP s hesly typu cleartext
Vyhledejte procesy, které prováděly ověřování LDAP s hesly typu cleartext.
// Find processes that performed LDAP authentication with cleartext passwords
IdentityLogonEvents
| where Protocol == "LDAP" //and isnotempty(AccountName)
| project LogonTime = Timestamp, DeviceName, Application, ActionType, LogonType //,AccountName
| join kind=inner (
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| extend DeviceName = toupper(trim(@"\..*$",DeviceName))
| where RemotePort == "389"
| project NetworkConnectionTime = Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
) on DeviceName
| where LogonTime - NetworkConnectionTime between (-2m .. 2m)
| project Application, LogonType, ActionType, LogonTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine //, AccountName
| limit 100