Forum Discussion

Thomas Cox's avatar
Thomas Cox
Copper Contributor
Mar 01, 2023
Solved

Microsoft Sentinel - See collected Event IDs per Computer

Hey!    Whilst the Common Security Events (via AMA) collects a set number of Windows Security Event IDs:  https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference   I...
data collection
KQL
  • Clive_Watson's avatar
    Clive_Watson
    Mar 02, 2023

    Thomas Cox 

     

    An alternative method

    SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer

     

     

Thomas Cox's avatar
Thomas Cox
Copper Contributor
Mar 01, 2023
This might be the answer:

Security Event
| distinct Computer, EventID

Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Mar 02, 2023

Thomas Cox 

 

An alternative method

SecurityEvent
| summarize count_=dcount(EventID), Ids_=make_set(EventID) by Computer

 

 

  • Thomas Cox's avatar
    Thomas Cox
    Copper Contributor
    Mar 02, 2023
    That is much neater than having to stitch the data together! Thank you.

Resources