23 строки
704 B
Plaintext
23 строки
704 B
Plaintext
//KQL query to detect IPsec QM SAs with long lifetime (Event table)
|
|
Event
|
|
| where EventID == 5451
|
|
| extend ed = parse_xml(EventData).DataItem.EventData.Data
|
|
| mv-apply ed on
|
|
(
|
|
where ed['@Name'] == 'LifetimeSeconds'
|
|
| project LifetimeSeconds = ed['#text']
|
|
)
|
|
| extend ed = parse_xml(EventData).DataItem.EventData.Data
|
|
| mv-apply ed on
|
|
(
|
|
where ed['@Name'] == 'LocalAddress'
|
|
| project LocalAddress = ed['#text']
|
|
)
|
|
| extend ed = parse_xml(EventData).DataItem.EventData.Data
|
|
| mv-apply ed on
|
|
(
|
|
where ed['@Name'] == 'RemoteAddress'
|
|
| project RemoteAddress = ed['#text']
|
|
)
|
|
| where LifetimeSeconds > 14400
|
|
| project TimeGenerated, Computer, LocalAddress, RemoteAddress, LifetimeSeconds |