Compartir a través de

Consultas para la tabla IdentityLogonEvents

  • Artículo

Para obtener información sobre el uso de estas consultas en Azure Portal, consulte tutorial de Log Analytics. Para obtener la API REST, consulte Consulta.

Procesos de autenticación LDAP con contraseñas de texto no cifrado

Busque los procesos que realizaron la autenticación LDAP con contraseñas de texto no cifrado.

// Find processes that performed LDAP authentication with cleartext passwords
IdentityLogonEvents
| where Protocol == "LDAP" //and isnotempty(AccountName)
| project LogonTime = Timestamp, DeviceName, Application, ActionType, LogonType //,AccountName
| join kind=inner (
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| extend DeviceName = toupper(trim(@"\..*$",DeviceName))
| where RemotePort == "389"
| project NetworkConnectionTime = Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
) on DeviceName
| where LogonTime - NetworkConnectionTime between (-2m .. 2m)
| project Application, LogonType, ActionType, LogonTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine //, AccountName
| limit 100