查询lyad账号操作AD账号的操作:
Category:"用户帐户管理" AND SubjectUserName:"lyad"
查询对账号zhangsan进行的操作:
Category:"用户帐户管理" AND TargetUserName:"zhangsan"
查询zhangsan登录失败的日志:
EventType:"AUDIT_FAILURE" AND (TargetUserName:"zhangsan" OR ServiceName:"zhangsan")
查询zhangsan登录失败的日志,不查询IP为192.168.1.2/3的日志:
EventType:AUDIT_FAILURE AND (TargetUserName:zhangsan OR ServiceName:zhangsan) -IpAddress:192.168.1.2 -IpAddress:192.168.1.3
查询ly的非移动端登录日志:
cs-username:"ly" -cs-uri-stem:"/Microsoft-Server-ActiveSync/*"
cs-username:zhangsan -csUser-Agent:"MSRPC" -csUser-Agent:"Outlook-iOS-Android*" #zhangsan为模糊查询
EventTime为Date格式:
EventTime:["2019-03-20" TO "2019-03-20"] #包含首尾
EventTime:{"2019-03-20" TO "2019-03-20"} #不包含首尾
EventTime:{"2019-03-20" TO "2019-03-20"] #包含首或尾