Kibana查询

查询lyad账号操作AD账号的操作:

Category:"用户帐户管理" AND SubjectUserName:"lyad"


查询对账号zhangsan进行的操作:

Category:"用户帐户管理" AND TargetUserName:"zhangsan"


查询zhangsan登录失败的日志:

EventType:"AUDIT_FAILURE" AND (TargetUserName:"zhangsan" OR ServiceName:"zhangsan")


查询zhangsan登录失败的日志,不查询IP为192.168.1.2/3的日志:

EventType:AUDIT_FAILURE AND (TargetUserName:zhangsan OR ServiceName:zhangsan) -IpAddress:192.168.1.2 -IpAddress:192.168.1.3

查询ly的非移动端登录日志:

cs-username:"ly" -cs-uri-stem:"/Microsoft-Server-ActiveSync/*"

cs-username:zhangsan -csUser-Agent:"MSRPC"  -csUser-Agent:"Outlook-iOS-Android*" #zhangsan为模糊查询

 

EventTime为Date格式:

EventTime:["2019-03-20" TO "2019-03-20"] #包含首尾
EventTime:{"2019-03-20" TO "2019-03-20"} #不包含首尾
EventTime:{"2019-03-20" TO "2019-03-20"] #包含首或尾

 

posted on 2018-07-11 13:53  momingliu11  阅读(379)  评论(0编辑  收藏  举报

Powered by: 博客园 Copyright © 2024 momingliu11
Powered by .NET 9.0 on Kubernetes