12 строки
724 B
Plaintext
12 строки
724 B
Plaintext
// Get stats on ExploitGuard blocks - count events and machines per rule
|
|
DeviceEvents
|
|
| where ActionType startswith "ExploitGuard" and ActionType endswith "Blocked"
|
|
// Count total stats - count events and machines per rule
|
|
| summarize EventCount=count(), MachinesCount=dcount(DeviceName) by ActionType
|
|
|
|
// View ExploitGuard audit events - but remove repeating events (e.g. multiple events with same machine, rule, file and process)
|
|
DeviceEvents
|
|
| where ActionType startswith "ExploitGuard" and ActionType endswith "Audited"
|
|
| summarize Timestamp =max(Timestamp) by DeviceName, ActionType,FileName, FolderPath, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessId, SHA1
|
|
|