我是 Sentinel/Work Analytics 和 KMQ 的新手。我一直在尝试找出一个查询,以从 azure 活动登录中获取用户和位置的所有成功登录。我希望您能帮助我或向我指出一些参考资料。
我尝试使用 github 和 Sentinel 仪表板中的一些示例。我可以按国家/地区获取所有失败的用户登录,但不成功。我打算将此日志数据用于地理封锁活动。
任何帮助将不胜感激,对于这样一个初学者问题感到抱歉。
提前致谢
我是 Sentinel/Work Analytics 和 KMQ 的新手。我一直在尝试找出一个查询,以从 azure 活动登录中获取用户和位置的所有成功登录。我希望您能帮助我或向我指出一些参考资料。
我尝试使用 github 和 Sentinel 仪表板中的一些示例。我可以按国家/地区获取所有失败的用户登录,但不成功。我打算将此日志数据用于地理封锁活动。
任何帮助将不胜感激,对于这样一个初学者问题感到抱歉。
提前致谢
let data = SigninLogs
| extend AppDisplayName = iff(AppDisplayName == '', 'Unknown', AppDisplayName)
| where AppDisplayName in ('*') or '*' in ('*')
| where UserDisplayName in ('*') or '*' in ('*')
| extend Country = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend errorCode = Status.errorCode
| extend SigninStatus = case(errorCode == 0, "Success", errorCode == 50058, "Pending user action", errorCode == 50140, "Pending user action", errorCode == 51006, "Pending user action", errorCode == 50059, "Pending user action", errorCode == 65001, "Pending user action", errorCode == 52004, "Pending user action", errorCode == 50055, "Pending user action", errorCode == 50144, "Pending user action", errorCode == 50072, "Pending user action", errorCode == 50074, "Pending user action", errorCode == 16000, "Pending user action", errorCode == 16001, "Pending user action", errorCode == 16003, "Pending user action", errorCode == 50127, "Pending user action", errorCode == 50125, "Pending user action", errorCode == 50129, "Pending user action", errorCode == 50143, "Pending user action", errorCode == 81010, "Pending user action", errorCode == 81014, "Pending user action", errorCode == 81012, "Pending user action", "Failure")
| where SigninStatus == '*' or '*' == '*' or '*' == 'All Sign-ins'
| where details.Type == '*' or (details.Type == 'Country' and Country == details.Name) or (details.Type == 'City' and City == details.Name)
| where UserPrincipalName contains "example.com"
| where Country != "AU";
//| where SigninStatus contains "success";
data
| top 10000 by TimeGenerated desc
//| extend TimeFromNow = now() - TimeGenerated
//| extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, //strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 10d), ' days')), ' ago')
| project User = UserDisplayName, ['Sign-in Status'] = strcat(iff(SigninStatus == 'Success', '✔️', '❌'), ' ', SigninStatus), ['Sign-in Time'] = TimeGenerated, App = AppDisplayName, ['Error code'] = errorCode, ['Result type'] = ResultType, ['Result signature'] = ResultSignature, ['Result description'] = ResultDescription, ['Conditional access policies'] = ConditionalAccessPolicies, ['Conditional access status'] = ConditionalAccessStatus, ['Operating system'] = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser, ['Country or region'] = LocationDetails.countryOrRegion, ['State'] = LocationDetails.state, ['City'] = LocationDetails.city, ['Time generated'] = TimeGenerated, Status, ['User principal name'] = UserPrincipalName, ['ClientAppUsed'] = ClientAppUsed````