0

我是 Sentinel/Work Analytics 和 KMQ 的新手。我一直在尝试找出一个查询,以从 azure 活动登录中获取用户和位置的所有成功登录。我希望您能帮助我或向我指出一些参考资料。

我尝试使用 github 和 Sentinel 仪表板中的一些示例。我可以按国家/地区获取所有失败的用户登录,但不成功。我打算将此日志数据用于地理封锁活动。

任何帮助将不胜感激,对于这样一个初学者问题感到抱歉。

提前致谢

4

1 回答 1

0 
let data = SigninLogs
    | extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)
    | where AppDisplayName in ('*') or '*' in ('*')
    | where UserDisplayName in ('*') or '*' in ('*')
    | extend Country = tostring(LocationDetails.countryOrRegion)
    | extend City = tostring(LocationDetails.city)
    | extend errorCode = Status.errorCode
    | extend SigninStatus = case(errorCode == 0, "Success", errorCode == 50058, "Pending user action", errorCode == 50140, "Pending user action", errorCode == 51006, "Pending user action", errorCode == 50059, "Pending user action", errorCode == 65001, "Pending user action", errorCode == 52004, "Pending user action", errorCode == 50055, "Pending user action", errorCode == 50144, "Pending user action", errorCode == 50072, "Pending user action", errorCode == 50074, "Pending user action", errorCode == 16000, "Pending user action", errorCode == 16001, "Pending user action", errorCode == 16003, "Pending user action", errorCode == 50127, "Pending user action", errorCode == 50125, "Pending user action", errorCode == 50129, "Pending user action", errorCode == 50143, "Pending user action", errorCode == 81010, "Pending user action", errorCode == 81014, "Pending user action", errorCode == 81012, "Pending user action", "Failure")
    | where SigninStatus == '*' or '*' == '*' or '*' == 'All Sign-ins'
    | where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name)
    | where UserPrincipalName contains "example.com"
    | where Country != "AU";
    //| where SigninStatus contains "success";
data
| top 10000 by TimeGenerated desc
//| extend TimeFromNow = now() - TimeGenerated
//| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, //strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 10d), ' days')), ' ago')
| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeGenerated, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, ['ClientAppUsed'] = ClientAppUsed````
于 2021-02-09T06:12:44.253 回答