OfficeActivity 表的查询

有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅查询

所有 Office 活动

Office 活动提供的所有事件。

OfficeActivity
| project TimeGenerated, UserId, Operation, OfficeWorkload, RecordType, _ResourceId
| sort by TimeGenerated desc nulls last

访问文件的用户

用户按他们访问的 OneDrive 和 SharePoint 文件数进行排序。

OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

文件上传操作

列出按上传到 OneDrive 和 SharePoint 的文件数排序的用户。

OfficeActivity
| where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileUploaded")
| summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
| sort by AccessedFilesCount desc nulls last

用户的 Office 活动

该查询显示了用户在 Office 上的活动。

// Replace the UPN in the query with the UPN of the user of interest
let v_Users_UPN= "osotnoc@contoso.com";
OfficeActivity
| where UserId==v_Users_UPN
| project TimeGenerated, OfficeWorkload, Operation, ResultStatus, OfficeObjectId, _ResourceId

创建转发规则

列出电子邮件转发规则的创建。

OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation in~ ("New-TransportRule", "Set-TransportRule")
| extend RuleName = case(Operation =~ "Set-TransportRule", tostring(OfficeObjectId), Operation =~ "New-TransportRule", tostring(parse_json(Parameters)[1].Value), "Unknown")
| project  TimeGenerated, ClientIP, UserId, Operation, RuleName, _ResourceId

可疑文件名

对文件名可能表示可执行文件混淆的文件进行操作。

OfficeActivity
| where RecordType =~ "SharePointFileOperation" and isnotempty(SourceFileName)
| where OfficeObjectId has ".exe." and OfficeObjectId matches regex @"\.exe\.\w{0,4}$"