Delen via

Query's voor de tabel IdentityQueryEvents

  • Artikel

Zie de zelfstudie over Log Analytics voor meer informatie over het gebruik van deze query's in Azure Portal. Zie Query voor de REST API.

SAMR-query's naar Active Directory

Zoek processen die SAMR-query's naar Active Directory hebben verzonden.

// Find processes that sent SAMR queries to Active Directory
IdentityQueryEvents
| where ActionType == "SAMR query"
//    and isnotempty(AccountName)
| project QueryTime = Timestamp, DeviceName, AccountName, Query, QueryTarget
| join kind=inner (
DeviceProcessEvents
| extend DeviceName = toupper(trim(@"\..*$",DeviceName))
//| where InitiatingProcessCommandLine contains "net.exe"
| project ProcessCreationTime = Timestamp, DeviceName, AccountName,
     InitiatingProcessFileName , InitiatingProcessCommandLine
    ) on DeviceName//, AccountName
| where ProcessCreationTime - QueryTime between (-2m .. 2m)
| project QueryTime, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Query, QueryTarget //,AccountName
 | limit 100