Hey! I hope you're all doing well!I've been working with a monthly report with Sentinel and PowerBI - and I've been trying to get a "User EPS Count". This would be a KQL statement that looks at the last 30 days of events, and searches based on a user? For example User1 has an average of 6000 events linked to their account in a month, and User 2 has 3000 events etc. Is this possible in KQL or do I have to do make a few searches and correlate based around that?TIA

Something like this?SecurityEvent| where TimeGenerated > ago( 1h)| summarize EventCount=count() by TargetAccount| extend EPSCount = EventCount/60/60Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccountAlso with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need

User Events Per Second KQL | Microsoft Community Hub

Vasgauta
Copper Contributor
Jun 08, 2022
Can anybody tell me how can we create any dashboard for "events per second" tiles on dashboard ?
- Clive_Watson
  Bronze Contributor
  Jun 09, 2022
  Vasgauta
  Simply press 'pin' to send the query to a Dashboard or a Workbook - then follow the steps
GaryBushey
Bronze Contributor
Jan 18, 2022
CharlieK95 There was a very similar question regarding EPS a while ago (maybe in the last week) so you can find a good query there.

As far as mapping the users, you would need to have the MS Sentinel queries auditing feature enabled. Go to this page for more information: Audit Microsoft Sentinel queries and activities | Microsoft Docs
- CharlieK95
  Copper Contributor
  Feb 01, 2022
  Hi Gary,
  
  Thanks for your response,
  I've tried the below, which has brought me the list of users, however I can't quite figure out how to pull their events with them. Is there a way I can make another column in the results, with their events per second, tied to that user account?
  
  SecurityEvent
  | where TimeGenerated > ago(1h)
  | where TargetAccount has "<customername>"
  
  Many thanks,
  C
  - m_zorich
    Iron Contributor
    Feb 01, 2022
    Something like this?
    SecurityEvent
    | where TimeGenerated > ago( 1h)
    | summarize EventCount=count() by TargetAccount
    | extend EPSCount = EventCount/60/60
    
    Not sure too many single user accounts would be generating so many events to actually get very high EPS, so that last line may be redundant, if you take it out you will just get a count per TargetAccount
    
    Also with SecurityEvent logs in particular, depending on the EventId the TargetAccount field can be blank, maybe just double check you are getting everything you need

Forum Discussion

User Events Per Second KQL

Share

Resources