若要给出包含代码示例的安全建议的KQL解决方案,可以参考以下示例:
SecurityEvent
| where EventID == 4663
| where AccessMask == 0x100080
| where AccountType == 'User'
| project TimeGenerated, Account, ObjectName, AccessMask
SecurityEvent
| where EventID == 4625
| where FailureReason != 0
| project TimeGenerated, Account, FailureReason, FailureReasonText
DeviceFileEvents
| where InitiatingProcessFileName in~ ("explorer.exe", "winword.exe", "excel.exe")
| where ActionType in~ ("FileDownloaded", "FileCreated")
| where FolderPath contains "AppData"
| project TimeGenerated, InitiatingProcessFileName, FileName, FolderPath
NetworkCommunicationEvents
| where RemoteIPType == "Public"
| where RemoteIPCountry != "China"
| project TimeGenerated, LocalIP, RemoteIP, RemoteIPCountry, RemoteIPLatitude, RemoteIPLongitude
这些示例提供了一些常见的安全建议,可以根据具体的安全需求进行调整和扩展。
上一篇:安全建议API
下一篇:安全加载共享对象的两个实例的方法