你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

SecurityEvent 表的查询

有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅查询

安全事件最常见的事件 ID

此查询显示每个 EventId 为安全审核引入的事件量降序列表。

SecurityEvent
| where EventSourceName == "Microsoft-Windows-Security-Auditing"
| summarize EventCount = count() by EventID
| sort by EventCount desc

添加到安全组的成员

在过去一天中,谁被添加到启用了安全功能的组?

// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID in (4728, 4732, 4756) // these event IDs indicate a member was added to a security-enabled group
| summarize count() by SubjectAccount, Computer, _ResourceId
// This query requires the Security solution

明文密码的使用

列出过去一天使用明文密码登录的所有帐户。

// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4624 // event ID 4624: "an account was successfully logged on",
| where LogonType == 8 // logon type 8: "NetworkCleartext"
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution

Windows 登录失败

查找未能登录的 Windows 帐户的报告。

// To create an alert for this query, click '+ New alert rule'
SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount, Computer, _ResourceId // count the reported security events for each account
// This query requires the Security solution

所有安全活动

按时间排序的安全活动(最新的第一个)。

SecurityEvent
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc

设备上的安全活动

按时间排序的特定设备上的安全活动(最新的第一个)。

SecurityEvent 
//| where Computer == "COMPUTER01.contoso.com" // Replace with a specific computer name
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc

管理的安全活动

特定设备上的安全活动,由管理员按时间排序(最新的第一个)。

SecurityEvent 
//| where Computer == "COMPUTER01.contoso.com"  // Replace with a specific computer name
| where TargetUserName == "Administrator"
| project TimeGenerated, Account, Activity, Computer
| sort by TimeGenerated desc

按设备进行的登录活动

对每个设备的登录活动进行计数。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer

登录次数超过 10 的设备

统计每个设备超过 10 次登录的登录活动。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Computer
| where LogonCount > 10

已终止的帐户反恶意软件

终止 Microsoft 反恶意软件的帐户。

SecurityEvent
| where EventID == 4689
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Account

已终止反恶意软件的设备

终止 Microsoft 反恶意软件的设备。

SecurityEvent
| where EventID == 4689 
| where Process has "MsMpEng.exe" or ParentProcessName has "MsMpEng.exe"
| summarize TerminationCount = count() by Computer

执行哈希的设备

hash.exe 执行时间超过 5 次的设备。

SecurityEvent
| where EventID == 4688
| where Process has "hash.exe" or ParentProcessName has "hash.exe"
| summarize ExecutionCount = count() by Computer
| where ExecutionCount > 5

执行的进程名称

列出每个进程的执行数。

SecurityEvent
| where EventID == 4688
| summarize ExecutionCount = count() by NewProcessName

清除安全日志的设备

清除安全日志的设备。

SecurityEvent
| where EventID == 1102
| summarize LogClearedCount = count() by Computer

按帐户划分的登录活动

按帐户划分的登录活动。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account

登录次数少于 5 次的帐户

登录次数少于 5 的帐户的登录活动。

SecurityEvent
| where EventID == 4624
| summarize LogonCount = count() by Account
| where LogonCount < 5

设备上的远程登录帐户

特定设备上的远程登录帐户。

SecurityEvent
| where EventID == 4624 and (LogonTypeName == "3 - Network" or LogonTypeName == "10 - RemoteInteractive")
//| where Computer == "Computer01.contoso.com" // Replace with a specific computer name
| summarize RemoteLogonCount = count() by Account

具有来宾帐户登录的计算机

具有从来宾帐户登录的计算机。

SecurityEvent
| where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3)
| summarize count() by Computer

添加到已启用安全组的成员

添加到已启用安全组的成员。

SecurityEvent
| where EventID in (4728, 4732, 4756)
| summarize count() by SubjectAccount

域安全策略更改

对域策略更改的事件进行计数。

SecurityEvent
| where EventID == 4739
| summarize count() by DomainPolicyChanged

系统审核策略更改

系统审核策略按计算机更改事件。

SecurityEvent
| where EventID == 4719
| summarize count() by Computer

可疑可执行文件

列出可疑的可执行文件。

SecurityEvent
| where EventID == 8002 and Fqbn == '-'
| summarize ExecutionCountHash=count() by FileHash
| where ExecutionCountHash <= 5

使用明文密码登录

按目标帐户使用明文密码登录。

SecurityEvent
| where EventID == 4624 and LogonType == 8
| summarize count() by TargetAccount

包含已清理事件日志的计算机

包含已清理事件日志的计算机。

SecurityEvent
| where EventID in (1102, 517) and EventSourceName == 'Microsoft-Windows-Eventlog'
| summarize count() by Computer

帐户登录失败

按目标帐户对失败的登录进行计数。

SecurityEvent
| where EventID == 4625
| summarize count() by TargetAccount

已锁定的帐户

按目标帐户对锁定的帐户进行计数。

SecurityEvent
| where EventID == 4740
| summarize count() by TargetAccount

更改或重置密码尝试

统计每个目标帐户的更改/重置密码尝试次数。

SecurityEvent
| where EventID in (4723, 4724)
| summarize count() by TargetAccount

创建或修改的组

每个目标帐户创建或修改的组。

SecurityEvent
| where EventID in (4727, 4731, 4735, 4737, 4754, 4755)
| summarize count() by TargetAccount

远程过程调用尝试次数

计算每台计算机的远程过程调用尝试次数。

SecurityEvent
| where EventID == 5712
| summarize count() by Computer

已更改的用户帐户

对每个目标帐户的用户帐户更改进行计数。

SecurityEvent
| where EventID in (4720, 4722)
| summarize by TargetAccount