SentinelAudit 表的查询

有关在 Azure 门户中使用这些查询的信息，请参阅 Log Analytics 教程。 有关 REST API，请参阅查询。

更新与 Office365-Sharepoint 相关的 Sentinel 资源失败

显示更新 Office365 Sharepoint 相关 Sentinel 资源的失败尝试的审核日志，并使用按调用者名称和工作区 ID 的可选筛选器。

SentinelAudit
//| where WorkspaceId == "<WorkspaceId>"  // to filter on a specific WorspaceId, uncomment this line
| extend CallerName = tostring(ExtendedProperties.CallerName)
// | where CallerName startswith "<userName>" // to to filter on a specific user, uncomment this line
| where Status == "Failure"
| where SentinelResourceName has "Office365-Sharepoint"
| limit 100