Forum Discussion
Solved
Microsoft Sentinel - See collected Event IDs per Computer
Hey!
Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs:
Windows security event sets that can be sent to Microsoft Sentinel | Microsoft Learn
Is there a way to see which computers are sending which event IDs as part of a wider SecurityEvents query? It's easy enough to pull back Event IDs being collected:
SecurityEvent
| summarize count() by Activity
Any pointers would be appreciated!
An alternative method
SecurityEvent | summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer
- This might be the answer:
Security Event
| distinct Computer, EventIDAn alternative method
SecurityEvent | summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer- That is much neater than having to stitch the data together! Thank you.
