使用 where 运算符

• 3 分钟

where 运算符筛选表，获取满足谓词的行子集。

请分别尝试这些查询以查看结果。

SecurityEvent
| where TimeGenerated > ago(1d)

SecurityEvent
| where TimeGenerated > ago(1h) and EventID == "4624"

SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4624
| where AccountType =~ "user"

SecurityEvent | where EventID in (4624, 4625)